Security

The technical and organisational measures in force for pdfserve.eu. This page is the “measures” annex referenced from the DPA.

Hosting

  • All compute, database, object storage, DNS, and image registry run on Scaleway in Paris (fr-par).
  • No US sub-processors are used in the rendering data path. The full list lives in the DPA.
  • TLS 1.2+ on every public endpoint, with certificates issued and renewed automatically by Let’s Encrypt.

Runtime isolation

  • Containers run with readOnlyRootFilesystem and all Linux capabilities dropped.
  • The only writable mount is an in-memory tmpfs, scoped to a single request lifetime.
  • Worker processes are recycled after a bounded number of requests to prevent cross-request residue.
  • HTML and the rendered PDF live in process memory only — never written to disk. See /retention for the full data lifecycle.

Input handling

  • HTML payloads are capped at 5 MB per request.
  • URL inputs and any nested asset fetches (images, stylesheets, fonts) go through an SSRF-safe fetcher: non-http(s) schemes are refused, and any host whose DNS resolves to a private, loopback, link-local, multicast, reserved, or cloud-metadata address (e.g. 169.254.169.254) is rejected before a connection is opened.
  • Render errors return a generic JSON detail; we never echo the submitted HTML back.

Authentication & secrets

  • API keys are stored only as Argon2id hashes. The raw key is shown to the user exactly once at creation and never logged.
  • Bearer-token authentication on every API call; revocation is immediate from the dashboard.
  • Dashboard sessions use HTTP-only, Secure, SameSite cookies.
  • Operator admin credentials are stored in Kubernetes secrets and rotated via the deploy script.

Logging & observability

  • Access logs are metadata-only: timestamp, status code, byte counts in/out, render duration, API key prefix. They never contain the request body or the PDF.
  • Exceptions are sent to a self-hosted Bugsink instance running on our own EU infrastructure. The Sentry SDK integration is configured with send_default_pii=False, include_local_variables=False, and max_request_body_size="never", with an additional before_send scrubber so submitted HTML and rendered PDFs are never attached to a report.
  • Metrics (request rate, latency, render duration, output size) are scraped by Scaleway Cockpit; they contain no content.

Reporting a vulnerability

Email security@pdfserve.eu with details and any reproduction steps. We aim to acknowledge within one business day. Please do not run automated scanners against production hosts — we’re happy to provide a staging endpoint on request.