Security

Overview

Security is a core priority at PDF99. We design systems to protect user data and services using industry best practices, layered defenses and continuous monitoring. This page summarises our approach and where to engage for security-related inquiries.

Secure architecture & design

We follow a defense-in-depth approach: network segmentation, least-privilege access, encryption in transit and at rest, and separation of client-side and server-side processing where possible (local-first design).

Encryption

• In transit: All network communications use HTTPS/TLS (current recommended protocols and ciphers).
• At rest: Sensitive data and server-side files are stored encrypted using strong encryption algorithms. Key management follows best practices and access is tightly controlled.

Access control & identity

We implement role-based access control (RBAC) for internal systems, enforce multi-factor authentication (MFA) for privileged accounts, and rotate credentials regularly. Production access is limited and audited.

Secure development lifecycle

Security is integrated into our development lifecycle: code reviews, static analysis, dependency scanning, and pre-production testing. We patch dependencies promptly and maintain a vulnerability triage process.

Vulnerability disclosure & bug bounty

We welcome responsible disclosure. Please report security issues to [email protected] with steps to reproduce, affected resources, and an optional safe test file. If you prefer, we may publish a bug bounty program details in the future. We ask researchers to avoid disruptive testing and to follow coordinated disclosure principles.

Incident response

We maintain an incident response plan that includes detection, containment, eradication, recovery and post-incident review. If an incident affects user data, we will notify affected users and regulatory authorities as required by law, providing relevant details and remediation steps.

Logging, monitoring & alerting

We collect minimal operational logs for security and performance monitoring. Logs are protected, access-controlled, and retained according to internal retention policies. We employ automated alerting for suspicious activity and anomalies.

Backups & resilience

Critical systems have automated backups stored securely and tested periodically. We design for availability and graceful degradation to reduce impact from outages.

Third-party security

We use reputable third-party providers for hosting, CDN, analytics and monitoring. We assess vendors for security posture and require contractual commitments around data protection and incident cooperation.

Penetration testing & audits

We engage periodic third-party penetration testing and security assessments. Findings are prioritized and tracked to resolution. Where applicable, we obtain SOC/ISO/other attestations from cloud vendors used in our stack.

Data minimization & local-first processing

To reduce risk we process files locally in the browser when feasible. Server-side processing is used only when necessary; uploaded files are retained for the minimum time required for processing and maintenance.

Privacy & compliance

Security practices work in tandem with our Privacy & Security policy to meet obligations under applicable law (e.g., GDPR). For privacy-specific questions, see our Privacy page or contact [email protected].

How to report security issues

Report vulnerabilities and incidents to [email protected]. For legal or urgent matters you can also use the Contact page. Please include:

• A short description of the issue
• Steps to reproduce and evidence (logs, screenshots, test files)
• Your contact details (for follow-up)

We aim to acknowledge reports within 48 hours and provide status updates as investigations proceed.

Limitations

No system is completely secure. We continuously work to reduce risk but cannot guarantee absolute security. Avoid uploading extremely sensitive personal information unless you have additional safeguards.

Contact & updates

For security questions or to report issues, email [email protected]. We may update this page as practices evolve - effective date below indicates the latest revision.

Effective date: October 1, 2025