Privacy & security

How to Handle Sensitive PDFs More Safely

A plain-language threat model for contracts, identity documents, medical records, and other sensitive PDFs processed in a browser.

Illustrated cover for How to Handle Sensitive PDFs More Safely

“Secure PDF” can mean several different things: keeping a file off a third-party server, removing information before sharing, encrypting a saved copy, or controlling who can access the folder around it. No single button solves all four. A sensible workflow begins with the people and systems you are protecting the document from.

QuickMerge’s core document tools run in the browser and do not upload the selected file to a QuickMerge processing server. That reduces one important exposure, but the browser, device, download folder, extensions, cloud sync, and recipient still matter. This guide gives you a practical threat model instead of a blanket promise.

In brief
  • Local processing reduces server exposure but does not secure a compromised device.
  • Redaction and encryption solve different problems.
  • Downloads and synced folders deserve the same care as uploads.
  • Verify the exact file you send.

Start with a small threat model

Ask four questions: What information would cause harm if exposed? Who should be able to see it? Where will copies exist? How long should they remain? A résumé needs different controls from a passport scan; a public report with two private account numbers needs different treatment from a confidential contract.

Then identify the weakest step. It may be an online converter, but it may also be a shared family computer, an unencrypted email attachment, a browser extension with broad file access, or a downloads folder automatically synchronized to a workplace cloud account.

What local browser processing does—and does not—protect

With client-side processing, JavaScript reads the file into the tab’s memory and creates the result on your device. There is no conversion upload or server-side queue. That avoids retention policies and breach risk at a processing provider. You can verify the general behavior with browser developer tools if you are comfortable inspecting network requests.

Local processing cannot protect a device already infected with malware, a malicious extension, a screen recording, an unlocked computer, or an insecure destination. Use a maintained browser, remove unnecessary extensions, apply operating-system updates, and avoid public or borrowed devices for sensitive records.

Redaction is not the same as covering text

A coloured rectangle placed over a name may leave the original text underneath. Recipients can sometimes select, copy, search, or extract that content. A safer sharing copy removes or flattens what is beneath the mark. QuickMerge’s Redact PDF tool creates rasterized pages with the selected areas covered, so the original text objects are not carried into the output.

Rasterization has trade-offs: text may no longer be selectable, accessibility can decrease, and quality depends on the rendered resolution. Keep the controlled original, review every page of the redacted output, and never assume a visual black box is sufficient without testing.

Encryption controls opening, not onward sharing

Password protection can deter unauthorized opening of the saved file. Use a long, unique password and send it through a different channel from the document. Do not place the password in the same email thread. The Protect PDF tool can create a protected copy locally, but once an authorized recipient opens a document, they may still save screenshots or make another copy.

Encryption also does not remove metadata or private pages. Use the PDF Metadata tool to inspect document properties, and perform redaction before protection. Protecting first can interfere with later processing and does not make hidden content disappear.

Control the downloaded result

Rename the output clearly, move it out of Downloads, and check whether the folder syncs to OneDrive, Google Drive, iCloud, or a workplace backup. Delete temporary copies only after confirming the final file is intact. Emptying the recycle bin may not immediately remove cloud versions or backups; follow your organization’s retention policy for regulated data.

When sending, verify the address, the attachment name, and the permission settings on any shared link. Expiring links and recipient-specific access can be safer than permanent public links, but they depend on the sharing provider’s configuration.

A safer order of operations

  1. Work from a trusted, updated device.
  2. Duplicate the original into a controlled working folder.
  3. Remove unnecessary pages and inspect metadata.
  4. Redact sensitive regions and verify the flattened output.
  5. Compress only if the delivery channel requires it.
  6. Password-protect the final sharing copy where appropriate.
  7. Send the password separately and clean up temporary copies.

Final checklist

  • The device and browser are trusted and updated.
  • Unneeded pages and metadata were reviewed.
  • Redactions were tested for copying and searching.
  • Password and file use separate channels.
  • The download folder and cloud sync are understood.
  • Recipient and attachment were double-checked.
Mehran, founder of QuickMerge

Written and reviewed by Mehran

Founder of QuickMerge. Mehran writes practical guides around the real behavior and limits of the tools. Connect on LinkedIn.