How do you handle sensitive documents?
We built PDFShift with confidentiality in mind.
By default, when you send a basic conversion request to PDFShift, we load your source, convert it, generate a PDF and return that PDF in a binary format.
This is to be in compliance with GDPR and HIPAA.
The generated PDF is never stored on our server by default, but can be under special conditions:
Special conditions
There are three parameters to be aware, that might result in the request - or the generated PDF - to be saved on PDFShift servers:
filename
webhook
log_request
When one of these parameter is given to PDFShift, instead of returning the raw PDF (and thus, only having your document in memory), the PDF is saved on our S3 bucket and an URL is returned to you instead (either directly to your request with filename
, or via a POST request to your webhook
URL).
In that case, we do store the document. If your documents requires no storage at all, you must not use these parameters.
If you need to use the filename
or webhook
parameter, you can also provide the s3_destination
parameter, that will point to your S3 bucket, so that the generated document is never stored on PDFShift. In that case, PDFShift only has write access to your bucket (not read) in order to put the generated document, and that's all. (We have a very limited set of rules to be added on your bucket for PDFShift's access that clearly shows its restricted capability).
Finally, by default, the logs on PDFShift do not contain the request you send (only a irreversible hash used for comparison purpose) and do not contain neither the resulting document. But if you set log_request
to true
, PDFShift will store your request in raw. This can be helpful for debugging purpose but we advise against using it in production.
is_hipaa
or is_gdpr
parameter
If you want to ensure that the request you send is compliant with GDPR or HIPAA, meaning no documents will be saved on PDFShift's server regardless of the request, you can set one of is_gdpr
or is_hipaa
parameter to true
.
When either of these two parameters is set to true, PDFShift will ensure that filename
or webhook
is only set if s3_destination
is set, to ensure the generated documents are never stored on PDFShift's server.