gPdf render/edge
Security

Security at gPdf

How gPdf protects customer data: edge runtime model, transit encryption, the stateless rendering pipeline, and our certification roadmap.

Effective Last updated
Summary

gPdf renders PDFs inside Cloudflare Workers V8 isolates with no document persistence after the request. All API traffic is TLS 1.3. SOC 2 Type II audit is scheduled for Q3 2026. Vulnerability reports go via the contact form on this page.

Runtime model

The gPdf rendering pipeline executes inside a single Cloudflare Workers V8 isolate per request. Each isolate is a sandboxed JavaScript runtime; multiple isolates run inside the same process but cannot read each other’s memory. The runtime has no persistent disk, no shared filesystem and no inter-isolate IPC.

When a /api/v1/pdf/render request arrives:

  1. The request body is parsed into a DocumentRequest value type in memory.
  2. The Rust+WASM renderer composes the PDF into an in-memory byte buffer.
  3. The buffer is returned in the HTTP response.
  4. The isolate’s allocations are released when the response stream completes.

There is no step in this pipeline where the input JSON or the output PDF is written to durable storage.

Data handling

SurfaceWhat we storeRetention
Input DocumentRequest JSONNot stored. Held only in isolate memory for the duration of the render.~4 ms (typical)
Output PDF bytesNot stored. Streamed back in the HTTP response.~4 ms (typical)
Request metadata (route, status, timing)Stored in operational logs for capacity planning + abuse detection. No request bodies, no PDF bytes.30 days
Account metadata (org, API keys, plan)Stored in our control-plane database.Lifetime of the account
Billing-relevant page countsStored, aggregated per billing period. Counts only — no document content.7 years (tax law)

Network and transport

  • TLS 1.3 is the minimum on all *.gpdf.com endpoints. TLS 1.0 and 1.1 are rejected at the edge.
  • HSTS is enforced with a 1-year max-age and includeSubDomains.
  • API traffic uses certificate pinning at the Cloudflare edge; certificates are issued by Let’s Encrypt with automated rotation.

Authentication and authorisation

  • API keys are bearer tokens scoped to one organisation. Lost keys can be rotated via the dashboard with no production downtime — old and new keys can be active simultaneously during cutover.
  • Dashboard access uses email + WebAuthn / passkey. Password-only login is disabled.
  • Sub-accounts and per-environment keys are available on the Pro and Enterprise tiers.

Vulnerability reporting

We accept reports via our contact form — select “Security”. PGP key and acknowledgement timeline are listed at /.well-known/security.txt. Critical reports receive an initial response within 24 hours; remediation timelines depend on severity.

We do not currently run a paid bug bounty programme. Security researchers acting in good faith under the safe-harbour terms in security.txt will not face legal action from us.

Certifications and audits

  • SOC 2 Type II — audit scheduled for Q3 2026. Pre-audit evidence available under NDA on request.
  • GDPR — see the privacy policy and the DPA.
  • PCI DSS — gPdf does not process cardholder data; cardholder data flows through Stripe and never touches our infrastructure.

Sub-processors

The current sub-processor list is on the DPA page under “Approved sub-processors”.

Reach us

  • General security questions: use our contact form — select “Security”.
  • Vulnerability disclosure: use our contact form — select “Vulnerability”. PGP key for encrypted disclosure is listed in /.well-known/security.txt.
  • Procurement / questionnaires: use our contact form — select “Procurement”.