The easy way to build this was wrong
When we started building ShieldDrop, the obvious technical path was the one every other legal SaaS takes: upload the file to a server, process it, send it back, delete the server copy. Easy to build. Easy to scale. And completely wrong for attorneys.
Here is the problem with that approach: the moment a client document touches a third-party server, you have created a confidentiality question. It does not matter that the company promises to delete it. It does not matter that they encrypt it in transit. Under ABA Model Rule 1.6 and formal opinions in dozens of jurisdictions, the transmission itself is the event that requires analysis. You are outsourcing custody of privileged material to a company whose business model has nothing to do with protecting your clients.
Most legal tech companies answer this with a privacy policy. We answered it with architecture.
What “zero-retention” actually required us to build
Metadata scrubbing at a forensic level — removing author names, GPS coordinates, tracked changes, revision history, hidden comments from 200+ file types — is genuinely complex. Doing it inside the user's browser, without ever touching a server, is significantly harder.
We had to rewrite core processing logic using WebAssembly to run at browser-native speed. We had to architect every tool — transcription, AI analysis, document generation, redaction — to operate on data that never leaves the attorney's machine. We had to build an authentication and billing layer that works without us ever seeing the underlying document.
It took roughly twice as long as the conventional approach. But the result is something meaningful: ShieldDrop cannot leak your client files because we never receive them. That is not a policy choice. It is a technical constraint we deliberately engineered into the platform.
Why attorneys specifically need this
There is a reason attorneys are the one professional class that has not collectively surrendered to the surveillance economy. Attorney-client privilege is not a preference — it is a legal duty. Breach it, even inadvertently, and you face bar complaints, malpractice exposure, and the kind of client trust damage that does not recover.
The metadata risk is real and underappreciated. In 2003, a Word document submitted by the UK government to make the case for the Iraq War was found to contain hidden tracked changes and revision history revealing the document had been fabricated. In 2017, a firm inadvertently disclosed negotiating strategy in metadata attached to a settlement agreement. These are not edge cases. They are what happens when you use general-purpose tools for privileged work.
ShieldDrop was built specifically for this problem. Not as a checkbox compliance tool, but as infrastructure-level protection for every document that leaves your office.
What we gave up to get here
We want to be honest about the trade-offs. Because we never see your files, we cannot offer cloud sync across devices for document processing. Because we do not run behavioral analytics, we have less data about how attorneys use our tools. Because we built for privacy first, some features that would have been easy on a conventional architecture were simply not options for us.
We think those are the right trade-offs. And we think you — as an attorney bound by professional duties most software companies have never heard of — deserve to know exactly what we built and why.
The promise, in plain language
ShieldDrop never sees your files. We collect only your email address and subscription status so you can log in and we can bill you. We do not track you, profile you, sell your data, or share anything with advertisers or third parties. Ever.
That is the entire privacy policy. We kept the legal version short enough to read in under two minutes — because we believe attorneys deserve to actually understand what they are agreeing to.