Security & Privacy
Trust Center
Plain-language overview of how SentryPDF handles files today: browser-local first when realistic, temporary Fly.io processing in Germany when needed, and direct provider naming when a third party is involved.
Current operating model
Browser-local first
If a feature can be done well in the browser, SentryPDF should keep the core task on the current device instead of uploading the document.
Temporary server processing when needed
If browser-local processing is not realistic, SentryPDF uses temporary Fly.io processing in Frankfurt am Main, Germany with a 30-minute default window.
Name providers directly
If a third party handles document content, the tool should say so clearly on the tool page and in product policy copy.
No permanent file library
The current deployment does not offer a permanent user document library for task files and does not store uploaded task files in Supabase Storage.
Architecture and trust flow
Current production flow, simplified.
Browser-local tool path
Best fit for sensitive documents when the feature is available browser-side.
Temporary server tool path
Temporary worker files are configured for up to 30 minutes, with cleanup every 60 seconds.
Third-party provider path (if enabled)
Avoid this path for highly confidential or restricted documents.
Account and app-data path
Supabase handles auth, sessions, and account state. It is not the current task-file store.
Tool-by-tool processing matrix
Each current tool below shows whether it stays in the browser, uses temporary server processing in Germany, names a third-party provider, and how conservative the confidentiality guidance is.
| Tool | Browser-local | Temporary server processing in Germany | Third-party provider | Confidential files | Notes |
|---|---|---|---|---|---|
| Merge PDFs | Yes | No | None | Best choice | Core task stays on the current device. |
| Split PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Organize PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Delete Pages | Yes | No | None | Best choice | Core task stays on the current device. |
| Compress PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Repair PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Images to PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Word to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Excel to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PowerPoint to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| HTML to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PDF to Images | Yes | No | None | Best choice | Core task stays on the current device. |
| Save as archival PDF/A | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Rotate PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Trim PDF margins | Yes | No | None | Best choice | Core task stays on the current device. |
| Add Page Numbers | Yes | No | None | Best choice | Core task stays on the current device. |
| Add Watermark | Yes | No | None | Best choice | Core task stays on the current device. |
| Extract text from PDF | Yes | Optional scan reading | None | Best in browser mode | Without scan reading it stays local. Turning scan reading on switches to temporary server processing. |
| Copy text from image | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Protect PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Unlock PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Sign PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. Sign PDF supports visible signature appearance and certificate-based digital signing. Certificate files and passwords are temporary processing inputs; SentryPDF does not store certificates or validate trust chains. |
| Black out sensitive content | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Without scan reading it stays local. Turning scan reading on switches to temporary server processing.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany. Sign PDF supports visible signature appearance and certificate-based digital signing. Certificate files and passwords are temporary processing inputs; SentryPDF does not store certificates or validate trust chains.
Uses temporary SentryPDF processing on Fly.io in Germany.
Subprocessors by feature
Only the features that need these services use them. Browser-local tools do not send the core task to a server-side PDF processor.
| Feature | Provider | Document content? | Notes |
|---|---|---|---|
| Browser-local PDF tools | None | No | Core task stays on the current device for browser-local modes. |
| Temporary server PDF processing | Fly.io | Yes | Web app and worker run with primary region FRA (Frankfurt am Main, Germany). |
| Office conversion | LibreOffice inside Fly worker | Yes | Runs inside the SentryPDF worker, not a separate cloud conversion provider. |
| Auth, sessions, account data | Supabase | No | Used for sign-in, sessions, account state, billing state, and referrals. Not used as the task-file store. |
| Payments | Stripe | No | Card details are handled by Stripe, not stored on SentryPDF servers. |
| Contact form delivery | Resend | No | Only the support message and contact details you submit are sent. |
| Page analytics | Plausible | No | Cookie-free page analytics. Not used for uploaded document processing. |
Retention and deletion
Retention rules should be concrete, limited, and visible from the product UI.
| Flow | Stored where | Retention | User control |
|---|---|---|---|
| Browser-local tools | Current browser / current device | No server-side task file for the core task | Close the page or keep the downloaded result locally |
| Temporary server-side uploads and outputs | Fly.io worker local disk in Frankfurt am Main, Germany | Up to 30 minutes by default | Delete now on supported result pages |
| Cleanup sweep | Worker cleanup process | Runs every 60 seconds | Automatic cleanup plus manual delete-now action where supported |
| Single-use / one-time download access | Short-lived browser session and download authorization | Can end sooner than the file TTL after a successful download | Run the task again if a one-time download has already been consumed |
| Signed-in account data | Supabase | Account and billing lifecycle dependent | Contact support for account or privacy requests |
Sensitive document guidance
Best option: browser-local
If a browser-local tool can do the job well, use that first for sensitive documents because the core task stays on the current device.
Use caution: temporary server processing
Server-side tools are still temporary, but the document reaches the Fly.io worker in Germany. Use them only when the feature genuinely needs server processing.
Avoid for highly confidential files: third-party providers
If a tool ever names a third-party document provider, avoid that path for highly confidential or policy-restricted files.
Security contact and responsible disclosure
Use the contact path below for security reports. Please include enough detail to reproduce the issue without sending unnecessary confidential files.
- Email: support@sentrypdf.com
- Recommended subject line: Security report
- Include the affected URL, what you observed, and how to reproduce it
- Do not send secrets or documents you are not authorized to share
Incident response
- Acknowledge the report, triage severity, and try to reproduce the issue.
- Contain the problem, patch the affected code or configuration, and rotate credentials if needed.
- Review the likely impact, including whether temporary files, logs, or account data may have been exposed.
- Notify affected users when required and publish plain-language follow-up when it is responsible to do so.
What SentryPDF does not claim yet
- No public SOC 2 or ISO 27001 claim is made here.
- No formal public pentest or external security review is claimed yet.
- No fake “trusted by everyone” marketing language is used here without proof.
- This Trust Center describes the current deployment and current product behavior, not an ideal future state.
Need a specific trust answer?
Use the contact page for a concrete privacy, processing, or deployment question. It is better to answer narrowly and accurately than to over-promise.