Security Practical & transparent

For pdfmagik.com — Last updated:
← Back to PDFMagik

We take a minimalist approach to data: keep as little as possible, for as short as possible, and protect it with layered controls.

1) Overview

  • Solo operator. No third‑party staff have routine access to systems.
  • Regions: Primary processing on India‑based servers; additional EU‑hosted Hostinger VPS.
  • Data minimization: Uploaded files and outputs auto‑delete within 5 hours (typically 4–5 hours).
  • No ads or trackers. Google Analytics (GA4) only with consent; IP anonymization; Ads features disabled.

2) Data handling

  • File storage: Short‑lived working storage; periodic clean‑up jobs delete expired files.
  • Logs: Retained up to 90 days for security & reliability, then deleted or aggregated.
  • Backups: Minimal and configuration‑focused; user uploads are not long‑term archived.
  • PII avoidance: Do not include personal data in file names/URLs.

3) Encryption

  • In transit: HTTPS/TLS for all client traffic.
  • At rest: Provider‑level disk encryption for servers; short‑lived files reside on encrypted volumes.
  • Secrets: Stored outside code repos; rotated when appropriate.

4) Network & infrastructure

  • Hardened Linux hosts with regular security updates.
  • Firewall rules restrict inbound traffic to HTTPS and required services.
  • SSH access limited; keys preferred; 2FA on provider consoles.
  • Reverse proxy serves static policy pages and terminates TLS.

5) Application security

  • Dependency updates tracked; only necessary libraries are used.
  • Input validation and file‑type checks for upload features.
  • Rate‑limiting and basic abuse detection to protect availability.
  • Separate environments for testing vs. production when needed.

6) Logging & monitoring

  • Web/application logs with rotation and retention limits (~90 days).
  • Health and error monitoring to detect failures quickly.
  • Access to logs is restricted to the operator.

7) Incident response

  1. Detect & triage: Investigate alerts or reports immediately and assess impact.
  2. Contain & remediate: Revoke keys, patch, isolate services, and rotate credentials.
  3. Notify: If user data is affected, notify impacted users and (where required) regulators without undue delay.
  4. Post‑mortem: Document root cause and preventive actions.

8) Vulnerability Disclosure Policy (VDP)

We welcome good‑faith reports. If you find a security issue, please email pdfmagik@gmail.com.

Safe harbor

  • Make a good‑faith effort to avoid privacy violations, data destruction, or service disruption.
  • Do not access, modify, or exfiltrate data that is not yours. Proof‑of‑concept only.
  • No social engineering, physical attacks, or denial‑of‑service.

Reporting

  • Include steps to reproduce, impact, affected URLs/endpoints, and any logs/screenshots.
  • We aim to acknowledge within 72 hours and provide an initial assessment within 7 days.
  • Fix timelines depend on severity and complexity; we'll keep you updated.
  • No monetary bounties at this time, but we're happy to provide thanks/credit where appropriate.

9) Technical appendix (optional hardening)

The following HTTP headers are recommended in production. Adjust directives to your stack.

# Example (nginx)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header Referrer-Policy no-referrer-when-downgrade always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Consider a CSP after testing inline scripts:
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https://www.googletagmanager.com https://www.google-analytics.com; script-src 'self' https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline';" always;

10) Contact

Security questions or reports: pdfmagik@gmail.com