Security

Your documents are processed entirely in memory. When you send HTML to our API, we convert it to PDF and return the result immediately. Nothing is written to disk.

• Input HTML — Never logged, never stored
• Generated PDFs — Exist only in memory during conversion
• What we do log — Request metadata only: timestamp, response size, duration

Once your PDF is delivered — whether via direct response, webhook, or upload to your storage — we discard everything. There's no "recently generated" list, no temporary storage, no caching.

We run on EU infrastructure from EU-headquartered providers — Hetzner and Bunny. No AWS, no Google Cloud, no Azure.

This matters because US hyperscalers are subject to the US Cloud Act, which can compel them to hand over data stored abroad. Our providers aren't.

For our EU region, data never leaves European borders. Processing happens in Frankfurt, and our database is hosted in Germany.

• In transit — All connections use TLS 1.3
• At rest — Database encrypted at the infrastructure level
• API keys — Hashed with SHA-256, never stored in plaintext

When you delete your account, we delete everything: your profile, API keys, usage records, and any associated data. This happens immediately via cascade delete — there's no 30-day grace period where your data lingers.

We're GDPR compliant by design, not as an afterthought. Our zero-retention architecture means there's minimal personal data to protect in the first place. For enterprise customers, we offer Data Processing Agreements (DPAs) on request.