Your documents stay private.
Always.
AllPDFMagic processes your files and deletes them automatically. No training on your data, no storage, no sharing.
How we protect your data
Encrypted in transit
All file uploads and downloads use TLS 1.2+ (HTTPS). We enforce HTTPS-only via Vercel's CDN — no plain-HTTP connections are accepted.
Automatic file deletion
Every file you upload is automatically deleted from our servers within 1 hour of processing. We do not retain your documents after delivery. No exceptions.
No training on your data
Your uploaded documents are never used to train AI models, for analytics, or shared with third parties. We process your files only to fulfil the specific operation you requested.
Infrastructure
AllPDFMagic runs on Vercel (CDN + serverless functions) and Railway (document processing backend). Both providers operate SOC 2 Type II certified data centres in the United States.
GDPR compliance
We comply with the EU General Data Protection Regulation. As a data processor, we act only on your documented instructions. EU users may request data deletion at any time via support@allpdfmagic.com.
DPDP (India) compliance
We comply with India's Digital Personal Data Protection Act 2023. Your personal data is processed only for the purposes described in our Privacy Policy. Data fiduciaries may exercise rights under Section 13.
API security
API keys are SHA-256 hashed before storage — we cannot recover a key once issued. Keys can be rotated at any time from the dashboard. Rate limits prevent abuse.
Vulnerability disclosure
If you discover a security vulnerability, please report it responsibly to security@allpdfmagic.com. We aim to respond within 48 hours and resolve critical issues within 7 days.
What happens to your file
Upload
TLS-encrypted transfer to processing server
Process
File processed in memory / ephemeral storage
Deliver
Result returned to you via signed download URL
Delete
Source and output files deleted within 1 hour
Security FAQs
Do you store my uploaded PDFs?
No. Files are processed in memory or ephemeral storage and deleted within 1 hour. We do not maintain a persistent copy of any file you upload.
Who can see my documents?
Only the automated processing pipeline touches your files. No AllPDFMagic employee reads your documents. Access logs are retained for 30 days for abuse prevention.
Are you SOC 2 certified?
AllPDFMagic itself is not yet SOC 2 certified (we're a growing startup). Our infrastructure providers Vercel and Railway are SOC 2 Type II certified.
Where are my files processed?
Processing happens in the United States. If you are in the EU and have specific data residency requirements, contact us to discuss options.
Can I request deletion of my account data?
Yes. Email support@allpdfmagic.com with your account email and we will delete all account data within 30 days as required under GDPR Article 17.
How do you protect API keys?
API keys are hashed (SHA-256) on creation. The plaintext key is shown once and never stored. If compromised, rotate it from your dashboard — the old key becomes invalid immediately.
Questions about our security practices?
Our team responds within 48 hours on business days.