Security

Last updated: June 2026

Our Security Commitment

At PDFFlow, we take security seriously. Your PDFs are your property, and we never touch them.

1. Client-Side Processing

All PDF processing happens in your browser, not on our servers:

  • Your files never leave your device during processing
  • PDFFlow runs entirely in JavaScript in your web browser
  • We cannot access or read your files
  • Maximum security through architectural isolation

2. File Encryption

When files are temporarily stored (very rare):

  • All data in transit uses HTTPS with TLS 1.2+ encryption
  • Temporary files are encrypted at rest
  • Encryption keys are rotated regularly
  • We never decrypt or inspect file contents

3. File Deletion Policy

Your files are deleted automatically:

  • Temporary files are deleted within 2 hours of upload
  • Completed/downloaded results are immediately purged
  • Automatic batch deletion jobs run every hour
  • No manual recovery possible—complete data removal

4. HTTPS & Transport Security

All connections are encrypted:

  • 100% HTTPS on all pages
  • TLS 1.2 minimum (TLS 1.3 preferred)
  • No HTTP fallback allowed
  • Certificate pinning for critical connections

5. XSS & Injection Prevention

Protected against common web attacks:

  • Content Security Policy (CSP) headers enabled
  • Input sanitization for all user-generated content
  • Template escaping and auto-encoding
  • No eval() or dangerous DOM manipulation

6. File Type Validation

Strict validation of uploaded files:

  • Client-side file type checking (PDF only)
  • Server-side MIME type validation
  • Magic byte verification
  • Rejection of suspicious or corrupted files

7. Rate Limiting & DDoS Protection

Protected against abuse:

  • IP-based rate limiting to prevent abuse
  • CloudFlare DDoS protection
  • Automatic blocking of suspicious traffic patterns
  • Request validation and throttling

8. Security Headers

Comprehensive HTTP security headers:

  • X-Frame-Options: DENY (no framing attacks)
  • X-Content-Type-Options: nosniff (MIME sniffing prevention)
  • Strict-Transport-Security: max-age=31536000 (HSTS)
  • Content-Security-Policy: strict policy

9. Regular Audits

We stay secure through continuous monitoring:

  • Monthly security reviews
  • Dependency vulnerability scanning
  • Third-party security audits (annually)
  • Immediate patching of discovered vulnerabilities

10. What We Don't Do

Transparency—things PDFFlow never does:

  • ❌ We never read or analyze your file contents
  • ❌ We never store your PDFs long-term
  • ❌ We never share files with third parties
  • ❌ We never use your files for machine learning or training
  • ❌ We never require personal information

11. Bug Bounty

Found a security issue? We appreciate responsible disclosure. Please report vulnerabilities to security@pdfflow.io instead of public disclosure.

12. Contact Security Team

Questions or concerns? Email us at security@pdfflow.io