Trust centre

Security

Security is described as implemented controls and known limits, without certifications or absolute guarantees.

Last reviewed:

Application controls

Priority uploads are bounded by file count and size, checked against expected file signatures and parsed before processing. User-facing errors avoid returning stack traces.

  • Production containers run as a non-root user.
  • Security headers restrict framing, content sniffing and unnecessary browser permissions.
  • Document filenames and contents are excluded from the analytics interface.

Transport and storage

The production site is expected to use HTTPS at its edge, and HTTPS responses include HSTS. Some tools process bytes in memory; disk-backed jobs use application-managed temporary directories.

The repository does not verify storage-at-rest encryption, hosting region, backup behaviour or proxy log retention. Those facts require production-operator confirmation.

Report a vulnerability

Use the Contact page or the configured security email in security.txt. Do not include exploit data containing another person's document or personal information in a public issue.