Back to Home

Security

Your financial data deserves bank-level protection. Here's exactly how we keep it safe.

Last updated: February 27, 2025

TL;DR: Your uploaded PDF is processed in an isolated memory-only environment, permanently deleted within 30 seconds, and no one on our team can ever access its contents.

Our Security Measures

TLS 1.3 Encryption in Transit

All data between your browser and our servers is encrypted with TLS 1.3 — the latest and most secure transport protocol available.

Ephemeral Processing Containers

Your PDF is processed in an isolated, sandboxed container that is destroyed immediately after conversion. No residual data remains.

Zero-Persistence Architecture

Files are never written to disk or long-term storage. Processing happens entirely in RAM and is wiped on container destruction.

No Human Access to Files

Our team has zero technical ability to access your uploaded files. Processing is fully automated with no human-in-the-loop.

Regular Security Audits

We conduct quarterly penetration testing and annual third-party security audits of our infrastructure and application code.

Security Incident Response

We have a documented incident response plan. In the unlikely event of a breach, affected users are notified within 72 hours.

Data Lifecycle

Here's exactly what happens to your file from the moment you upload it:

  • t+0s — File is received over TLS 1.3 encrypted connection
  • t+0s — File is loaded into RAM inside an isolated processing container
  • t+1–10s — AI reads and categorizes transactions (in memory only)
  • t+10s — Excel file is generated and uploaded to temporary signed URL
  • t+10s — Source PDF is permanently wiped from memory
  • t+15min — Generated Excel file is automatically deleted from temporary storage
  • Never — No file content is ever written to logs, databases, or backups

Infrastructure

MyPDFtoExcel runs on Vercel (frontend and API) with processing infrastructure hosted on AWS in US-East-1 and EU-West-1 regions. All infrastructure is SOC 2 Type II certified.

  • Application hosted behind Vercel's global edge network with DDoS protection
  • All secrets and API keys stored in encrypted environment variable stores
  • Dependency scanning and automated vulnerability alerts via Dependabot
  • Infrastructure-as-code with audit logs for all configuration changes

Payment Security

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. We never see, store, or transmit your full credit card number. Stripe handles all card data in their secure, compliant environment.

Authentication Security

  • Passwords are hashed using bcrypt with a minimum work factor of 12
  • Optional two-factor authentication (2FA) via TOTP apps (Authenticator, etc.)
  • Session tokens are rotated on each login and invalidated on logout or password change
  • CSRF protection on all state-changing endpoints
  • Rate limiting on login and upload endpoints to prevent abuse

Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of security researchers. If you discover a potential security issue, please disclose it responsibly:

  • Email: security@mypdftoexcel.com
  • Use PGP encryption if disclosing sensitive details (public key available on request)
  • Include a clear description, steps to reproduce, and potential impact
  • We commit to acknowledging reports within 48 hours and resolving confirmed issues within 30 days

Bug Bounty: We offer a recognition program for responsible disclosures of valid security vulnerabilities. Contact us for details.

Compliance

  • GDPR — Compliant for EU users; no financial data stored beyond processing window
  • CCPA — Compliant for California residents
  • SOC 2 — Infrastructure provider is SOC 2 Type II certified
  • PCI DSS — Payment processing via PCI DSS Level 1 certified Stripe

Questions?

Have a security question or concern? Contact our security team at security@mypdftoexcel.com. For general questions, reach us at hello@mypdftoexcel.com.