Security

At Blackpdf, the security of your files and data is fundamental to everything we build. This page describes the technical and organizational measures we implement to protect your information during processing, storage, and transmission.

1. File Processing Security

We minimize server-side exposure of your files through a layered approach:

  • Browser-Based Processing: Many PDF operations happen entirely within your browser using client-side JavaScript. Your files never leave your device for these operations.
  • Server-Side Processing: For resource-intensive operations (OCR, compression, conversions), files are securely uploaded using 256-bit TLS encryption, processed in isolated environments, and automatically deleted after processing is complete.
  • No File Retention: We do not retain copies of your processed files. Once the operation is complete and you have downloaded the result, the file is permanently removed from our servers.

2. Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ with 256-bit encryption.
  • At Rest: Sensitive data stored on our servers (such as cloud-synced passwords) is encrypted using AES-256-GCM. We use unique encryption keys per user, and the keys are stored separately from the encrypted data.
  • Password Hashing: Account passwords are hashed using bcrypt with a cost factor of 12. We never store plain-text passwords.

3. Authentication & Session Security

  • Secure Sessions: User sessions are managed with HTTP-only, secure cookies that cannot be accessed by client-side JavaScript.
  • CSRF Protection: All state-changing requests are protected with token-based CSRF validation to prevent cross-site request forgery attacks.
  • OAuth 2.0: Google sign-in uses the OAuth 2.0 protocol with PKCE for secure third-party authentication.
  • Device Fingerprinting: Anonymous device identifiers help detect session hijacking and unauthorized access attempts.

4. Infrastructure Security

  • Isolated File Storage: Files processed on our servers are stored in isolated, per-session directories that are inaccessible to other users or processes.
  • Rate Limiting: Requests are rate-limited per IP address and per user to prevent abuse, brute-force attacks, and denial-of-service attempts.
  • CORS Policy: Only authorized domains can access our APIs. Cross-origin requests from unauthorized sources are rejected.
  • Security Headers: We apply strict HTTP security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security.
  • Input Sanitization: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS, command injection).

5. Data Isolation & Access Control

  • User Data Isolation: Each user's data (files, workflows, synced passwords, signatures) is stored separately and can only be accessed by the authenticated account owner.
  • Team Access Controls: Team shared resources are accessible only to team members. Team admins control what is shared, and access is revoked immediately upon member removal.
  • Principle of Least Privilege: Internal systems and services operate with minimal required permissions.

6. Monitoring & Incident Response

  • Audit Logging: Security events, authentication attempts, and processing actions are logged for monitoring and forensic analysis.
  • Suspicious Activity Detection: Automated systems monitor for unusual patterns such as repeated failed login attempts, rapid file uploads, or abnormal API usage.
  • Automatic Cleanup: Files are deleted automatically even in the event of server crashes, process failures, or unexpected errors. Periodic cleanup jobs ensure no orphaned files remain.

7. Payment Security

Payment processing is handled entirely by Paddle.com Market Limited, our Merchant of Record. Blackpdf never receives, processes, or stores your credit card numbers, CVV codes, or banking details. All payment data is handled in PCI DSS-compliant environments by Paddle.

8. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of our Service, please contact us immediately at:

Email: support@blackpdf.com

We take all security reports seriously and will investigate promptly. We ask that you give us reasonable time to address any issues before public disclosure.

9. Related Policies

For details on our data practices, see our Privacy Policy.

For your rights and obligations, see our Terms of Service.

For cookie usage details, see our Cookie Policy.