Your security is our priority
End-to-end encryption, auto-deletion, and enterprise-grade compliance — built in.
Encryption
Every byte in transit uses TLS 1.3 with modern cipher suites. At rest, your files are encrypted with AES-256 using per-tenant keys managed in a dedicated KMS. We never store decrypted file contents or session tokens in plaintext.
Encryption keys rotate every 90 days. Older keys remain available only for the lifetime of the files they protected — which, given our 1-hour auto-deletion policy, is the same day.
File handling
Files are automatically deleted within 1 hour of upload, no exceptions. There is no permanent storage tier — even paid Pro accounts don't keep file history beyond their deletion window. If you delete the file from the result page, we remove it within seconds.
Your files are never used to train AI models — ours or anyone else's. GDPR Article 17 (right to be forgotten) is honored within 72 hours of request.
Infrastructure
Primary processing runs in EU data centers (Frankfurt, Amsterdam) certified to ISO 27001 and SOC 2. All services sit behind Cloudflare with DDoS protection and WAF rules tuned to PDF upload patterns.
Backups are encrypted and retained 30 days, then destroyed. We run weekly disaster-recovery drills and publish results on status.imisspdf.com.
Compliance
SOC 2 Type II audited annually by a Big Four firm. GDPR-compliant with a signed DPA available on request. CCPA-compliant for California customers. HIPAA-ready for Enterprise — BAA available.
Public-facing security reporting is available through our Trust Center (status.imisspdf.com/security). Vulnerability disclosure is handled through our bug bounty program below.
Common security questions
TLS 1.3 in transit, AES-256-GCM at rest, with per-tenant keys in a dedicated KMS. Files are decrypted only in-memory during processing.
Primary: Frankfurt, Germany. Failover: Amsterdam. Enterprise customers can request region pinning (US, UK, Singapore, Australia).
No. Your files are never used to train any AI model. AI features operate on your file only for the duration of your task.
Email security@imisspdf.com with a description and reproduction steps. We respond within 24 hours and pay bounties for valid reports — see below.
Yes — our standard DPA is signable from the Business and Enterprise dashboards. Custom DPAs are negotiable for Enterprise.
Yes for Enterprise customers — BAA available. Free, Pro, and Business plans do not include HIPAA coverage by default.
Our incident-response runbook is public. Affected customers are notified within 72 hours per GDPR; status page and post-mortem follow.
Yes — Business and Enterprise plans support Google, Microsoft, Okta, and custom SAML 2.0 providers. SCIM provisioning included.
Bug bounty program
Found a vulnerability? Report it responsibly to security@imisspdf.com and earn up to $5,000. We respond within 24 hours.