Skip to content

Security

Last updated: April 13, 2026

We take security seriously. This page summarises how pdfs.build — operated by Brilliminds FZC (License No. 4306832) in the Sharjah Publishing City Free Zone, United Arab Emirates — protects the data you entrust to us.

Encryption in transit

All traffic between your browser, our servers, and our content delivery network is encrypted with TLS 1.2+. HTTPS is enforced on every subdomain (landing, application, APIs, CDN). We apply HTTP Strict Transport Security (HSTS) with a two-year max-age and includeSubDomains, so modern browsers refuse to downgrade to plain HTTP.

Encryption at rest

Application data is stored in a PostgreSQL database with full-disk encryption enabled at the infrastructure layer. Uploaded assets (images, fonts, custom brand files) are stored in Cloudflare R2, which encrypts all objects at rest using AES-256. Backups are encrypted using the same mechanisms as the primary stores.

Authentication & account security

Authentication is handled by Better Auth with the following controls:

  • Password credentials are hashed using industry-standard algorithms — we never store plaintext passwords.
  • Sessions are carried by HTTP-only, Secure, SameSite cookies that are not accessible to JavaScript.
  • CSRF protection is enforced on all state-changing requests.
  • Social login is available via Google and GitHub OAuth 2.0; you can enable the identity provider's 2FA to protect your pdfs.build account.
  • Rate limits are applied to authentication and sign-up endpoints to mitigate brute force and credential stuffing.

Payment security (PCI DSS)

All payments are processed by our Merchant of Record, Paddle, which is certified to PCI DSS Level 1 — the highest tier defined by the Payment Card Industry Security Standards Council. Card numbers, CVVs, and expiration dates never touch our servers. We receive only non-sensitive metadata such as subscription status, country, and transaction IDs needed to entitle your account.

Infrastructure & network security

  • The landing site and web application are served by Cloudflare Pages, with DDoS mitigation and a web application firewall at the edge.
  • API services run in isolated containers with restricted egress and least-privilege credentials.
  • Database and object storage are only reachable from authenticated application services, never from the public internet.
  • Production secrets (database URLs, API keys, OAuth client secrets) are stored as environment variables in our deployment platform and are never committed to source control.
  • Security headers applied site-wide: HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict Referrer-Policy, restrictive Permissions-Policy, and Content Security Policy.

Access control & least privilege

Internal access to production systems is restricted to a small set of named administrators and protected by multi-factor authentication on the identity providers used to reach the infrastructure (cloud, DNS, email). We do not query customer data for operational support except where strictly necessary to resolve a user-reported issue, and only with that user's consent.

Data minimisation & AI

Template content, schemas, and sample data you submit are used exclusively to power the features you request (AI template editing, rendering, live preview). AI model providers contracted to power chat-based template generation are bound by terms that prohibit training on your inputs. See our Privacy Policy for details on processors and international transfers.

Backups & disaster recovery

The primary PostgreSQL database is backed up on an automated schedule, with encrypted snapshots retained for disaster recovery. Cloudflare R2 provides durable object storage for user-uploaded assets. Our target recovery point objective (RPO) and recovery time objective (RTO) are continuously being refined as the product matures.

Vulnerability disclosure

If you believe you have found a security vulnerability in pdfs.build, please report it privately to [email protected] with a description, reproduction steps, and any relevant logs or screenshots. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

We will acknowledge receipt within 3 business days, keep you informed as we investigate, and credit security researchers who act in good faith (unless you prefer to remain anonymous). We do not currently operate a paid bug bounty programme, but we deeply appreciate responsible disclosure.

What's next

pdfs.build is a young product, and our security program is continuously improving. On our roadmap: optional customer-managed 2FA inside the application, a formal independent penetration test, and — as customer demand grows — a SOC 2 or ISO 27001 attestation.

Contact

General security questions or customer enterprise due-diligence requests: [email protected].

This page describes our current security posture and is provided for transparency. It is not a contract and does not modify or supersede our Terms of Service or Privacy Policy. For enterprise security questionnaires or a signed data processing addendum, contact [email protected].