Security & Trust

Your documents, treated as critical data.

We generate documents that carry sensitive data — invoices, contracts, personal data. Below is exactly what we do today to protect that, and what is still being built. No empty jargon: if we do not have it, it is marked as roadmap.

Live today

Encryption in transit

All traffic over TLS (forced HTTPS, HSTS with preload). No API call or data travels in plain text.

Zero-retention of content

The payload and the generated PDF exist only in memory during the render — they are never written to disk nor stored afterwards. We keep only billing metadata (size, duration, status) and a hash for verification — never the content.

Verifiable documents

Each document generates a SHA-256 at the moment of issuance. Anyone can upload the file at /verify and confirm that it is intact and was generated by us — proof of integrity against tampering, without having to take our word for it.

Protected credentials

API keys are stored only as a SHA-256 hash (the raw key appears only once). Passwords with Argon2id. Keys revocable at any time.

Multi-tenant isolation + RBAC

Each organization is an isolated tenant: every query is scoped by organization on the server. OWNER/MEMBER/ADMIN roles (basic RBAC) control who creates keys and publishes templates. Your data never crosses over to another account.

Encryption at rest

The data that does persist (templates, metadata) lives in managed Postgres with AES-256 encryption at rest by the provider.

Privacy & terms

Public Privacy (LGPD/GDPR/CCPA), Terms and Cookies policies. We do not sell your data nor train models with your content.

Radical honesty

We do not say we do “end-to-end encryption”. To render your document, our server needs to see the content in plain text for a few milliseconds, in memory. Anyone promising “E2E” + cloud render is redefining the term. What we actually deliver is zero-retention: we see it for an instant, we never store it.

For those who need the data to never leave their own environment, the right answer is self-host / VPC — it is on the roadmap below.

Compliance roadmap

We do not yet have the items below. We list them openly — and we never claim a certification before it exists. (LGPD/GDPR/CCPA privacy/terms policies and basic RBAC are already live — see above.)

SOC 2 Type I → Type II
Annual third-party pen test
Signable DPA (Data Processing Agreement)
SSO (SAML/OIDC) + SCIM
Granular permissions (advanced RBAC)
BYOK (customer-managed keys)
Self-host / VPC (deploy in your environment)
SLA with guaranteed uptime + status page

Sub-processors

Third parties that process data to operate the service: hosting provider (application infrastructure), managed Postgres (database), and Stripe (payments). Changes to this list are communicated in advance.