Security & Privacy
Trust Center
Plain-language overview of how SentryPDF handles files today: browser-local first when realistic, temporary Fly.io processing in Germany when needed, and direct provider naming when a third party is involved.
Current operating model
Browser-local first
If a feature can be done well in the browser, SentryPDF should keep the core task on the current device instead of uploading the document.
Temporary server processing when needed
If browser-local processing is not realistic, SentryPDF uses temporary Fly.io processing in Frankfurt am Main, Germany with a 30-minute default window.
Name providers directly
If a third party handles document content, the tool should say so clearly. Translate PDF currently uses DeepL in production.
No permanent file library
The current deployment does not offer a permanent user document library for task files and does not store uploaded task files in Supabase Storage.
Architecture and trust flow
Current production flow, simplified.
Browser-local tool path
Best fit for sensitive documents when the feature is available browser-side.
Temporary server tool path
Temporary worker files are configured for up to 30 minutes, with cleanup every 60 seconds.
Third-party translation path
Avoid this path for highly confidential or restricted documents.
Account and app-data path
Supabase handles auth, sessions, and account state. It is not the current task-file store.
Tool-by-tool processing matrix
Each current tool below shows whether it stays in the browser, uses temporary server processing in Germany, names a third-party provider, and how conservative the confidentiality guidance is.
| Tool | Browser-local | Temporary server processing in Germany | Third-party provider | Confidential files | Notes |
|---|---|---|---|---|---|
| Merge PDFs | Yes | No | None | Best choice | Core task stays on the current device. |
| N-up / Handout PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Bates Numbering PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Split PDF by Bookmarks | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Split PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Compress PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Web Optimize PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Organize PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Edit PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Merge Alternate Pages | Yes | No | None | Best choice | Core task stays on the current device. |
| PDF Metadata | Yes | No | None | Best choice | Core task stays on the current device. |
| Resize PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Overlay / Underlay PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Flatten PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Fill PDF Forms | Yes | No | None | Best choice | Core task stays on the current device. |
| Rotate PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Delete Pages | Yes | No | None | Best choice | Core task stays on the current device. |
| Crop PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Add Page Numbers | Yes | No | None | Best choice | Core task stays on the current device. |
| Header / Footer PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Redact PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Repair PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Sign PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. Visible signature appearance only. Not a certificate-based digital signature. |
| Protect PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Unlock PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Images to PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| PDF to Images | Yes | No | None | Best choice | Core task stays on the current device. |
| Extract Images from PDF | Yes | No | None | Best choice | Core task stays on the current device. |
| Extract Attachments from PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Remove Attachments from PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Compare PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PDF to Word | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PDF to Excel | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PDF to PowerPoint | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Word to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PowerPoint to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Excel to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Markdown to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| PDF to Markdown | Yes | Optional (OCR mode) | None | Best in browser mode | Without OCR it stays local. Enabling OCR switches to temporary server processing. |
| Extract text from PDF | Yes | Optional (OCR mode) | None | Best in browser mode | Without OCR it stays local. Enabling OCR switches to temporary server processing. |
| OCR PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Extract text from image (OCR) | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Translate PDF | No | Yes | DeepL | Avoid highly confidential files | Current production uses DeepL for translation. |
| HTML to PDF | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
| Add Watermark | Yes | No | None | Best choice | Core task stays on the current device. |
| PDF to PDF/A | No | Yes | None | Caution | Uses temporary SentryPDF processing on Fly.io in Germany. |
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany. Visible signature appearance only. Not a certificate-based digital signature.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Without OCR it stays local. Enabling OCR switches to temporary server processing.
Without OCR it stays local. Enabling OCR switches to temporary server processing.
Uses temporary SentryPDF processing on Fly.io in Germany.
Uses temporary SentryPDF processing on Fly.io in Germany.
Current production uses DeepL for translation.
Uses temporary SentryPDF processing on Fly.io in Germany.
Core task stays on the current device.
Uses temporary SentryPDF processing on Fly.io in Germany.
Subprocessors by feature
Only the features that need these services use them. Browser-local tools do not send the core task to a server-side PDF processor.
| Feature | Provider | Document content? | Notes |
|---|---|---|---|
| Browser-local PDF tools | None | No | Core task stays on the current device for browser-local modes. |
| Temporary server PDF processing | Fly.io | Yes | Web app and worker run with primary region FRA (Frankfurt am Main, Germany). |
| Translate PDF | DeepL | Yes | Current production translation provider. |
| Office conversion | LibreOffice inside Fly worker | Yes | Runs inside the SentryPDF worker, not a separate cloud conversion provider. |
| Auth, sessions, account data | Supabase | No | Used for sign-in, sessions, account state, billing state, and referrals. Not used as the task-file store. |
| Payments | Stripe | No | Card details are handled by Stripe, not stored on SentryPDF servers. |
| Contact form delivery | Resend | No | Only the support message and contact details you submit are sent. |
| Page analytics | Plausible | No | Cookie-free page analytics. Not used for uploaded document processing. |
Retention and deletion
Retention rules should be concrete, limited, and visible from the product UI.
| Flow | Stored where | Retention | User control |
|---|---|---|---|
| Browser-local tools | Current browser / current device | No server-side task file for the core task | Close the page or keep the downloaded result locally |
| Temporary server-side uploads and outputs | Fly.io worker local disk in Frankfurt am Main, Germany | Up to 30 minutes by default | Delete now on supported result pages |
| Cleanup sweep | Worker cleanup process | Runs every 60 seconds | Automatic cleanup plus manual delete-now action where supported |
| Single-use / one-time download access | Short-lived browser session and download authorization | Can end sooner than the file TTL after a successful download | Run the task again if a one-time download has already been consumed |
| Signed-in account data | Supabase | Account and billing lifecycle dependent | Contact support for account or privacy requests |
Sensitive document guidance
Best option: browser-local
If a browser-local tool can do the job well, use that first for sensitive documents because the core task stays on the current device.
Use caution: temporary server processing
Server-side tools are still temporary, but the document reaches the Fly.io worker in Germany. Use them only when the feature genuinely needs server processing.
Avoid for highly confidential files: third-party translation
Translate PDF sends content to DeepL. That can be practical, but it is not the right choice for highly confidential or policy-restricted files.
Security contact and responsible disclosure
Use the contact path below for security reports. Please include enough detail to reproduce the issue without sending unnecessary confidential files.
- Email: support@sentrypdf.com
- Recommended subject line: Security report
- Include the affected URL, what you observed, and how to reproduce it
- Do not send secrets or documents you are not authorized to share
Incident response
- Acknowledge the report, triage severity, and try to reproduce the issue.
- Contain the problem, patch the affected code or configuration, and rotate credentials if needed.
- Review the likely impact, including whether temporary files, logs, or account data may have been exposed.
- Notify affected users when required and publish plain-language follow-up when it is responsible to do so.
What SentryPDF does not claim yet
- No public SOC 2 or ISO 27001 claim is made here.
- No formal public pentest or external security review is claimed yet.
- No fake “trusted by everyone” marketing language is used here without proof.
- This Trust Center describes the current deployment and current product behavior, not an ideal future state.
Need a specific trust answer?
Use the contact page for a concrete privacy, processing, or deployment question. It is better to answer narrowly and accurately than to over-promise.