Skip to main content

Security at One23PDF

Your files never touch our infrastructure. Here's how our zero-trust architecture keeps your documents safe.

Our Security Model

One23PDF operates on a zero-trust architecture: your files never touch our infrastructure. There is no server to breach, no database to leak, and no transmission to intercept.

All PDF processing runs inside your browser's sandboxed JavaScript environment. This means your files are isolated by the same security boundaries that protect your banking sessions and password managers.

🛡️ The safest server is the one that never sees your files.

How We Handle Files

Every step of the file lifecycle happens on your device.

📂

File Input

Files are read using the browser's File API. They are loaded into memory as ArrayBuffers — never sent over the network.

⚙️

Processing

JavaScript libraries (pdf-lib, jsPDF, PDF.js) operate on ArrayBuffers directly in your browser's memory.

💾

Output

Processed files are generated as Blob URLs — temporary links that exist only in your browser session for download.

🧹

Cleanup

When you close the tab or navigate away, all memory is freed by the browser. No persistent storage, no traces left behind.

Threat Model

We're transparent about what we protect against — and what we don't.

✅ What We Protect Against

N/A

Server Breaches

Not applicable — there is no server storing your files.

N/A

Data Leaks in Transit

Not applicable — your files are never transmitted over the network.

N/A

Unauthorized Server Access

Not applicable — files stay local to your browser at all times.

N/A

Third-Party Data Sharing

No file data is shared with any third party, ad network, or analytics provider.

⚠️ What We Don't Protect Against

⚠️

Local Device Compromise

If malware has access to your device, it can access any file you open — including files processed by One23PDF. This is true for any local application.

⚠️

Browser Vulnerabilities

Exploits in your browser engine could theoretically access in-memory data. Keep your browser updated to mitigate this risk.

⚠️

Malicious Browser Extensions

Extensions with broad permissions can read page content. We recommend reviewing your installed extensions.

Browser Security Features

We leverage built-in browser security mechanisms to protect your data.

Same-Origin Policy

Your file data is isolated to the One23PDF origin. No other website can access data processed in our tab.

Content Security Policy

We use strict CSP headers to prevent cross-site scripting (XSS) and unauthorized resource loading.

No eval() or Unsafe Scripts

Our processing code never uses eval() or unsafe inline scripts. All code is statically bundled and verified.

Web Worker Isolation

Heavy PDF processing runs in Web Workers — separate threads with their own isolated memory space.

Responsible Disclosure

We take security seriously and welcome reports from the security community. If you discover a vulnerability in One23PDF, please report it responsibly.

📧 Security contact: security@one23pdf.com

📋 What to include: A clear description of the vulnerability, steps to reproduce, and any relevant screenshots or logs.

⏱️ Response time: We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

Please do not publicly disclose vulnerabilities until we've had a chance to address them. We appreciate your help in keeping One23PDF and its users safe.