Let's say I have two machines, A and B, on the public internet (not an intranet).
Machine A has a web server that hosts unencrypted images of confidential documents.
Machine B hosts an ASP.net or Java servlet page for allowing manipulations of those images.
The URL of media on Machine A can be passed to the page on Machine B, which can then manipulate the image.
How can Machine B provide a guarantee that it does not retain any of the confidential information being passed to it from Machine A?
I don't think there's any way to guarantee that. With deniable encryption, if they went public with a document you could plausibly deny having ever sent it.
But I can't think of any way of technologically forcing them to destroy the document after doing processing.
If Machine B has to have access to an unencrypted version of the documents from Machine A, and Machine A cannot trust the code running on Machine B, I can't think of any way to guarantee to Machine A that Machine B has destroyed all copies of what was sent it.