Seller proof redaction guide
Prepare revenue, analytics, ownership, and transfer artifacts for buyer review without exposing unnecessary customer data, payment details, credentials, or unrelated account information.
Redaction should protect privacy without hiding the claim.
A useful proof artifact keeps the source, date range, product context, and relevant metric visible while removing private customer, payment, credential, and unrelated account data.
Before sharing proof
Treat every artifact as a diligence exhibit. The goal is enough context for a serious buyer to evaluate the claim without broad exposure of sensitive data.
- Share the smallest artifact that proves the specific claim being discussed.
- Keep unredacted originals available privately for later controlled diligence if needed.
- Label each artifact as a source export, screenshot, seller summary, or third-party document.
- State the date range, account, product, and metric shown in each proof artifact.
- Avoid sending credentials, private keys, customer exports, or secret configuration files.
Revenue and payment proof
Redact before sharing
- Customer names, emails, addresses, card details, bank details, and tax IDs.
- Full payment IDs, payout IDs, invoice IDs, and unrelated account balances.
- Other products, accounts, or revenue streams not included in the sale.
Keep visible when possible
- Gross revenue, net revenue, fees, refunds, chargebacks, payout totals, and date ranges.
- Product, app, store, or account context that connects the proof to the listing.
- Export timestamps or report periods with private identifiers removed.
App store, SaaS, and analytics proof
Redact before sharing
- User names, emails, device identifiers, IP addresses, support transcripts, and session recordings.
- Store account owner details, developer tax records, banking pages, and unrelated apps.
- Private dashboard areas that reveal unrelated products, secrets, staff activity, or private URLs.
Keep visible when possible
- Downloads, active users, subscribers, churn, retention, traffic, conversion, ratings, and date ranges.
- App, package, bundle, product, or domain context that ties the artifact to the asset for sale.
- Notes explaining whether each number is source export, screenshot, or seller summary.
Technical and transfer proof
Redact before sharing
- API keys, OAuth secrets, private keys, SSH notes, passwords, recovery codes, and secret JSON.
- Database URLs, environment variables, customer data, vendor billing data, and private incident notes.
- Security details that need controlled disclosure instead of broad distribution.
Keep visible when possible
- Repository ownership status, commit activity, deployment process, hosting provider, and domain context.
- Transfer blockers and notes on which accounts can transfer directly versus requiring buyer recreation.
- Credential handoff sequencing, with actual secrets deferred until the agreed transfer stage.
Escalate before sharing
- Customer personal data or regulated healthcare, financial, education, or child-related information.
- Active credentials, signing certificates, private keys, seed phrases, recovery codes, or production database access.
- Security incident details, vulnerability reports, legal disputes, tax records, contractor agreements, or employee information.
- Buyer requests for raw exports, direct admin access, or account ownership changes before the transaction process supports them.
Frequently asked questions
Should sellers ever keep unredacted originals?
Yes. Sellers should retain originals privately so a qualified diligence process can review them later if required. The public or early buyer-facing artifact should remove unnecessary private data.
What should a redacted proof artifact still show?
It should still show the source, date range, relevant product or account context, and the metric needed to support the listing claim. Redaction should remove private data without making the claim impossible to evaluate.
Can sellers share credentials to speed up diligence?
No. Credentials, private keys, recovery codes, and production access should not be shared casually. Access should follow the agreed diligence or transfer sequence, with secrets rotated where appropriate.