Security

1. Our Security Philosophy

At LittlePDF, security is not an afterthought -- it is a foundational design principle. We built our architecture around a simple premise: the most secure file is the one that never leaves your device. By processing PDFs directly in your browser whenever possible, we eliminate entire categories of risk -- server-side breaches, data exfiltration, and unauthorized access to your documents.

2. Security at a Glance

3. Client-Side Architecture

LittlePDF's core tools -- merge, split, compress, rotate, reorder pages, add watermarks, and more -- are built with pdf-lib and run entirely within your browser's JavaScript runtime. This means:

• Files are read into browser memory using the File API and never transmitted over the network.
• All transformations happen locally using WebAssembly and JavaScript -- no server round-trips.
• Output files are generated in-memory and provided as a download link via Blob URLs.
• Closing the browser tab releases all file data from memory. No traces are left on disk.

Each tool page clearly indicates whether it uses client-side or server-side processing with a visible privacy badge, so you always know where your data is being handled.

4. Server-Side Security

For features that require server-side processing (AI-powered OCR, complex format conversions), we enforce strict security controls:

• Encrypted upload -- Files are transmitted using TLS 1.3 with forward secrecy.
• Isolated containers -- Each processing job runs in a dedicated, ephemeral container with no shared storage or network access to other workloads.
• Immediate deletion -- Input and output files are purged from memory and storage as soon as the processed result is delivered to you, typically within seconds.
• No logging of content -- We log metadata (file size, processing duration, tool used) for monitoring and debugging, but never the content of your files.
• Provider agreements -- Third-party AI providers (e.g., Mistral for OCR) operate under data processing agreements that prohibit data retention and use for model training.

5. Authentication & Account Security

User authentication is managed through Supabase Auth with the following security measures:

• Passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
• OAuth 2.0 support for Google and GitHub sign-in, reducing password-related risk.
• Session tokens are short-lived JWTs with automatic refresh, stored in HTTP-only cookies to prevent XSS attacks.
• Rate limiting on authentication endpoints to prevent brute force attacks.
• Account lockout after repeated failed login attempts with email-based recovery.

6. Infrastructure Security

Our infrastructure is designed for resilience and security:

• Hosted on Vercel's edge network with automatic DDoS protection and global CDN distribution.
• Database services run on Supabase with Row Level Security (RLS) policies enforced at the database layer.
• All internal service communication is encrypted and authenticated.
• Environment secrets are managed through encrypted vaults -- never committed to source code or exposed to client-side bundles.
• Automated dependency scanning for known vulnerabilities in third-party packages.

7. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, process, or store full credit card numbers. Payment details are collected via Stripe's hosted payment elements, which are isolated in a secure iframe and communicate directly with Stripe's servers. Our systems only receive tokenized payment references and billing metadata.

8. Compliance & Certifications

We are committed to meeting industry-recognized security standards:

• SOC 2 Type II -- Currently in progress. We are working toward SOC 2 Type II certification for our server-side processing infrastructure, with an expected completion in Q4 2026.
• GDPR -- We comply with the General Data Protection Regulation. Users may exercise their data rights as described in our Privacy Policy.
• CCPA -- We comply with the California Consumer Privacy Act. We do not sell personal information.
• PCI DSS -- Payment processing is fully delegated to Stripe (PCI DSS Level 1 certified). No cardholder data touches our infrastructure.

9. Incident Response

In the unlikely event of a security incident, we follow a structured response process:

• Identification -- Automated monitoring and alerting systems detect anomalies in real time.
• Containment -- Affected systems are isolated immediately to prevent further exposure.
• Investigation -- Our engineering team conducts a thorough root cause analysis.
• Notification -- Affected users are notified within 72 hours of confirmed incidents, in compliance with GDPR requirements.
• Remediation -- Vulnerabilities are patched, and preventive measures are implemented to avoid recurrence.
• Post-mortem -- A detailed incident report is produced internally and, where appropriate, shared publicly.

10. Employee Access Controls

Access to production systems is tightly controlled:

• All team members use multi-factor authentication (MFA) for internal systems.
• Access is granted on a need-to-know basis following the principle of least privilege.
• No employee has direct access to user files -- our architecture is designed to make this technically impossible for client-side tools and operationally prohibited for server-side tools.
• Access logs are maintained and reviewed regularly. Privileged access requires approval from at least two team members.

12. Security Updates

We continuously monitor for new vulnerabilities and apply security patches promptly. Our dependency tree is scanned automatically on every deployment, and critical patches are applied within 24 hours of disclosure. This page is updated whenever we make material changes to our security practices.

Related Policies