Trust
Last reviewed July 10, 2026
Security & data handling.
doclinth processes your customers’ data on your behalf, so we keep data handling deliberately minimal. Here is plainly what happens to your data, where rendering runs, and how to reach us about security.
Rendering
How rendering handles your data
- Render payload retention
- Synchronous render data is processed in memory and is not written to our database. Async jobs pass the payload through Upstash QStash for delivery and retries.
- Binary output is never stored
- In the default binary mode the finished PDF is streamed straight back to you and never retained.
- URL-mode output is short-lived
- When you request output as a URL, the PDF is written to private object storage behind a link that expires after 24 hours. An hourly purge removes objects after that threshold.
- Logs are metadata only
- Generation logs record status, timing, output size, error codes, and the template version — never the document contents or the rendered PDF.
Isolation
Where rendering runs
- A separate render service
- PDF rendering runs in its own isolated service, apart from the application and database.
- Locked-down egress
- The render environment cannot reach private networks; outbound traffic is restricted to what a document legitimately needs.
- Template HTML is sanitized
- Template markup is sanitized before it renders, as defense in depth against script injection.
- SSRF-guarded image proxy
- External images referenced by a template load through a proxy that validates the destination, so templates cannot be used to reach internal resources.
Access
Keys and access
- API keys stored as one-way hashes
- API keys are random high-entropy secrets stored only as SHA-256 hashes. The full key is shown once, at creation, and never again.
- Separate, revocable keys
- Test and live keys are distinct and can be revoked at any time. Test-key renders are for development and never consume your monthly quota.
- Signed webhooks
- Webhook payloads are signed so you can verify they came from us, and destination URLs are validated against SSRF before we deliver.
AI
AI boundaries
- Authoring prompts only
- When you use AI template authoring, your prompt and the current template draft are sent to Google and Anthropic to generate template HTML.
- Render data never goes to AI
- The data you later render into PDFs is never sent to any AI provider. Generation is deterministic and never calls a model.
- PDF import is opt-in
- A PDF is sent to our AI provider only when you upload one for import, and the original file is deleted once the import finishes or fails.
Subprocessors
Who helps run the service
We rely on the following subprocessors to operate the service. Data is in transit over TLS; Supabase encrypts data at rest.
- Vercel
- Application hosting.
- Supabase
- Database, authentication, and object storage.
- Fly.io
- The isolated PDF render service.
- Upstash
- Rate limiting and QStash asynchronous job delivery.
- Dodo Payments
- Billing, as merchant of record.
- Google and Anthropic
- AI template authoring and the optional PDF-import feature.
Disclosure
Reporting a vulnerability
Found a security issue? Email security@doclinth.com with the details and steps to reproduce. We investigate every report and will work with you on a coordinated fix. Our machine-readable policy lives at /.well-known/security.txt.
We hold no formal security certifications today, and we will not claim any we do not have. This page reflects how the service actually works as of the review date above.
For the formal policy on what we collect and how we use it, see the Privacy Policy or write to privacy@doclinth.com. To delete your account and its data, contact support@doclinth.com.