Security

Files in transit

Uploads and downloads use presigned URLs to Cloudflare R2 over HTTPS — your bytes never traverse our application servers. Each presigned URL is valid for 15 minutes and is single-purpose (read-only for downloads, write-only for uploads).

Files at rest

Stored in Cloudflare R2 with provider-managed encryption at rest. Tool outputs and inputs are deleted on a fixed schedule:

• Free tier: 60 minutes after the job finishes.
• Pro tier: 15 minutes after the job finishes.
• Abandoned uploads: within 60 minutes.

The sweep runs every 10 minutes via Celery beat. Each deletion is stamped on the Job row so the dashboard's audit log can show users proof their bytes left storage.

PDF passwords

Protect-PDF uses AES-256 encryption with the owner-password permissions you select. The Unlock tool only decrypts PDFs you already have the password for — no brute-force, no rainbow tables.

Passwords you type into the Protect or Unlock form are passed in-memory to our compute layer and never persisted to disk or the database.

Provider credentials

AI provider keys (DeepSeek, OpenRouter, Anthropic, OpenAI) live in an encrypted vault inside Postgres. Keys are sealed with a per-deployment master password; the admin UI requires a separate reveal password before plaintext is ever shown — defence in depth against compromised admin sessions.

Authentication

Accounts are managed via django-allauth with email + password by default. Sessions are HttpOnly + Secure cookies. Billing is delegated to LemonSqueezy as merchant of record — we never see your card number.

Responsible disclosure

Found a vulnerability? Email security@pditor.com. We respond within one business day, fix critical issues within seven days, and credit reporters in the changelog.

Out of scope: rate-limit bypasses on anonymous endpoints (intentional — quotas live on Pro accounts), social-engineering attacks on our team, denial-of-service tests against the public site.