Overview
Self-Hosted Deployment Note: If your organization has deployed Penfield in a self-hosted model (where the Penfield application is hosted on your corporate infrastructure), the Privacy service will communicate directly with your self-hosted Penfield backend, not with Penfield's hosted backend. The communication endpoint is determined by where your Penfield application is deployed.
This guide walks you through obtaining the Privacy Service package from Penfield, verifying it, installing it on a Windows server, opening the required port, and validating the deployment from a client machine.
Prerequisites
Before you start, confirm that:
- Server requirements for your environment are met (see your deployment checklist).
- You have administrator access on the Windows server where the service will run.
- You have received the Penfield Privacy Service application package from Penfield (see below).
Obtain the installation package
Contact Penfield support to obtain the Privacy Service installation package. Penfield typically provides:
| File | Purpose |
|---|---|
offline-service-ocr.zip | Privacy Service installation package |
offline-service-ocr.zip.sha256 | SHA256 hash for package verification |
test.jsonl | Test data file (used for validation) |
validate_privacy_service.py | Validation script (used for validation from a client machine) |
Verify package integrity
Before installation, confirm the ZIP file is intact and matches the hash Penfield provided.
-
Download both files into the same folder (for example your Downloads folder):
offline-service-ocr.zipoffline-service-ocr.zip.sha256
-
Open the
.sha256file in Notepad (right-click → Open with → Notepad). Note the hash string (for examplea3f8b9c2d1e4f5...) and keep it for comparison. -
Open PowerShell and go to the folder that contains the ZIP file, for example:
cd $HOME\Downloads -
Compute the SHA256 hash of the ZIP:
Get-FileHash -Path ".\offline-service-ocr.zip" -Algorithm SHA256 -
Compare the hash from the
.sha256file with the Hash value printed by PowerShell. They must match exactly.
| Outcome | What to do |
|---|---|
| Hashes match | Continue with extraction and installation. |
| Hashes do not match | Do not install. The file may be corrupted or the wrong build. Re-download the ZIP from Penfield; contact Penfield support if the problem continues. |
Extract the package
- In File Explorer, go to the folder that contains
offline-service-ocr.zip. - Right-click
offline-service-ocr.zip→ Extract All… - Set the destination to the drive root, for example:
C:\ - Confirm extraction. Files should appear under
C:\offline-service-ocr\ - Click Extract and wait until extraction finishes.
Run the installation
-
Open PowerShell (press the Windows key, type
PowerShell, open Windows PowerShell). -
Change to the extracted folder:
cd C:\offline-service-ocr -
Run the installer:
.\deployment\windows\install-service.bat -
Wait until the script finishes (often about 5–10 minutes). The script installs dependencies and configures the service. Do not close the PowerShell window while it runs. You should see progress output in the window.
Verify installation on the server
After installation completes, confirm the service is listening and reports ready.
Ready endpoint
curl.exe -s http://127.0.0.1:3000/ready
You should see a JSON response such as {"ready":true} or another success-style message.
Listening port
netstat -ano | findstr :3000
You should see a line showing LISTENING on port 3000.
Firewall configuration
The Windows server must allow inbound TCP traffic on port 3000 so clients can reach the Privacy Service.
Option A: PowerShell rule
Run in an elevated PowerShell (Run as administrator):
netsh advfirewall firewall add rule name="Penfield Privacy Service" dir=in action=allow protocol=TCP localport=3000
Option B: Windows Firewall UI
- Open Windows Defender Firewall with Advanced Security.
- Inbound Rules → New Rule…
- Port → TCP → Specific local ports:
3000 - Allow the connection
- Apply to Domain, Private, and Public as required by your policy.
- Name the rule, for example:
Penfield Privacy Service - Finish the wizard.
Validate from a client machine
Run these steps from a machine that can reach the Privacy Service server on port 3000 (not necessarily the server itself).
Prerequisites on the test machine
- Network path to the Privacy Service host on port 3000
- Python 3 installed
validate_privacy_service.pyandtest.jsonl(same files Penfield provided with the package or from your Penfield SharePoint folder), saved in the same directory
Steps
-
Copy
validate_privacy_service.pyandtest.jsonlto a folder on the test machine. -
Open a terminal and go to that folder:
cd /path/to/test/filesOn Windows Command Prompt or PowerShell, use the path style that applies to your machine, for example:
cd C:\path\to\test\files -
Run the validation script. Replace
<IP_of_Privacy_Server>with your server’s IP or DNS name:python3 validate_privacy_service.py "test.jsonl" \
--base-url "http://<IP_of_Privacy_Server>:3000" \
--line 1Example:
python3 validate_privacy_service.py "test.jsonl" \
--base-url "http://192.168.1.100:3000" \
--line 1 -
Confirm the script completes without errors and reports successful processing.
Service logs on the server
On the Windows machine where the Privacy Service is installed:
-
Open:
C:\Users\<YourUsername>\Downloads\PrivacyService\logs\(Adjust
<YourUsername>to your Windows account. If logs were configured elsewhere, use the path your administrator provided.) -
Open
privacy-service.txtand confirm entries show that requests were received and processed.
Additional notes
- Python on the server: The standard packaged install uses
install-service.batand does not require you to install Conda or runpython main.pymanually on the server. Python 3 is required only on the client used forvalidate_privacy_service.py, unless your organization uses a different validation process. - Stopping the service: Use Windows Services (
services.msc) or your IT runbook for the Privacy Service Windows service, or follow instructions from Penfield support.