Security & Vulnerability Disclosure
We take the security of your documents seriously. OLPDF employs enterprise-grade infrastructure and strict data policies to ensure your intellectual property remains yours.
Encryption Everywhere
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. We utilize Cloudflare R2 for highly available, zero-egress object storage with strict access controls.
Privacy by Design
We never use your private documents to train our foundation models. OLPDF employs strict row-level security (RLS) ensuring that your data is only accessible to authorized accounts.
Responsible Disclosure
If you believe you've found a security vulnerability in OLPDF, please notify us immediately. We will work with you to resolve the issue promptly.
Reporting Guidelines
- Email your findings to security@olpdf.xyz.
- Provide detailed steps to reproduce the vulnerability.
- Do not disclose the vulnerability publicly until we have had a reasonable amount of time to deploy a fix (typically 90 days).
- Do not exploit the vulnerability further than necessary to demonstrate its existence.
- Do not access or modify data belonging to other users.
Out of Scope
The following issues are generally considered out of scope for our bug bounty/disclosure program:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Missing security headers which do not lead directly to a vulnerability.
Compliance & Infrastructure
Sub-processors
We use the following trusted providers to deliver our service:
Cloudflare
CDN, WAF, and R2 Object Storage (US/EU)
Supabase
Database and Authentication (AWS/AWS EU)
Modal
GPU Compute and Async Workers