Trust

Last reviewed July 10, 2026

Security & data handling.

doclinth processes your customers’ data on your behalf, so we keep data handling deliberately minimal. Here is plainly what happens to your data, where rendering runs, and how to reach us about security.

Rendering

How rendering handles your data

Render payload retention
Synchronous render data is processed in memory and is not written to our database. Async jobs pass the payload through Upstash QStash for delivery and retries.
Binary output is never stored
In the default binary mode the finished PDF is streamed straight back to you and never retained.
URL-mode output is short-lived
When you request output as a URL, the PDF is written to private object storage behind a link that expires after 24 hours. An hourly purge removes objects after that threshold.
Logs are metadata only
Generation logs record status, timing, output size, error codes, and the template version — never the document contents or the rendered PDF.

Isolation

Where rendering runs

A separate render service
PDF rendering runs in its own isolated service, apart from the application and database.
Locked-down egress
The render environment cannot reach private networks; outbound traffic is restricted to what a document legitimately needs.
Template HTML is sanitized
Template markup is sanitized before it renders, as defense in depth against script injection.
SSRF-guarded image proxy
External images referenced by a template load through a proxy that validates the destination, so templates cannot be used to reach internal resources.

Access

Keys and access

API keys stored as one-way hashes
API keys are random high-entropy secrets stored only as SHA-256 hashes. The full key is shown once, at creation, and never again.
Separate, revocable keys
Test and live keys are distinct and can be revoked at any time. Test-key renders are for development and never consume your monthly quota.
Signed webhooks
Webhook payloads are signed so you can verify they came from us, and destination URLs are validated against SSRF before we deliver.

AI

AI boundaries

Authoring prompts only
When you use AI template authoring, your prompt and the current template draft are sent to Google and Anthropic to generate template HTML.
Render data never goes to AI
The data you later render into PDFs is never sent to any AI provider. Generation is deterministic and never calls a model.
PDF import is opt-in
A PDF is sent to our AI provider only when you upload one for import, and the original file is deleted once the import finishes or fails.

Subprocessors

Who helps run the service

We rely on the following subprocessors to operate the service. Data is in transit over TLS; Supabase encrypts data at rest.

Vercel
Application hosting.
Supabase
Database, authentication, and object storage.
Fly.io
The isolated PDF render service.
Upstash
Rate limiting and QStash asynchronous job delivery.
Dodo Payments
Billing, as merchant of record.
Google and Anthropic
AI template authoring and the optional PDF-import feature.

Disclosure

Reporting a vulnerability

Found a security issue? Email security@doclinth.com with the details and steps to reproduce. We investigate every report and will work with you on a coordinated fix. Our machine-readable policy lives at /.well-known/security.txt.

We hold no formal security certifications today, and we will not claim any we do not have. This page reflects how the service actually works as of the review date above.

For the formal policy on what we collect and how we use it, see the Privacy Policy or write to privacy@doclinth.com. To delete your account and its data, contact support@doclinth.com.