How do you handle sensitive documents?

We built PDFShift with confidentiality in mind.

By default, when you send a basic conversion request to PDFShift, we load your source, convert it, generate a PDF and return that PDF in a binary format.

Once the request is done, there are no remaining traces of your data on our servers. All is done in memory.

This is to be in compliance with GDPR and HIPAA.

The generated PDF is never stored on our server by default, but can be under special conditions:

Special conditions

There are three parameters to be aware, that might result in the request - or the generated PDF - to be saved on PDFShift servers:

  • filename

  • webhook

  • log_request

When one of these parameter is given to PDFShift, instead of returning the raw PDF (and thus, only having your document in memory), the PDF is saved on our S3 bucket and an URL is returned to you instead (either directly to your request with filename, or via a POST request to your webhook URL).

In that case, we do store the document. If your documents requires no storage at all, you must not use these parameters.

If you need to use the filename or webhook parameter, you can also provide the s3_destination parameter, that will point to your S3 bucket, so that the generated document is never stored on PDFShift. In that case, PDFShift only has write access to your bucket (not read) in order to put the generated document, and that's all. (We have a very limited set of rules to be added on your bucket for PDFShift's access that clearly shows its restricted capability).

Finally, by default, the logs on PDFShift do not contain the request you send (only a irreversible hash used for comparison purpose) and do not contain neither the resulting document. But if you set log_request to true, PDFShift will store your request in raw. This can be helpful for debugging purpose but we advise against using it in production.

is_hipaa or is_gdpr parameter

If you want to ensure that the request you send is compliant with GDPR or HIPAA, meaning no documents will be saved on PDFShift's server regardless of the request, you can set one of is_gdpr or is_hipaa parameter to true.

When either of these two parameters is set to true, PDFShift will ensure that filename or webhook is only set if s3_destination is set, to ensure the generated documents are never stored on PDFShift's server.

Was this helpful?