Security Policy
Last Updated and Effective Date: February 2026
Operated By: Fikirizma Media (Antalya, TĂĽrkiye)
Website: www.freepdf.co
At Fikirizma Media (“Company”, “we”, “us”, or “our”), the security, integrity, and confidentiality of your documents are our highest priorities. FreePDF is engineered from the ground up to provide enterprise-grade security for both casual users and corporate clients.
This Security Policy outlines the technical, administrative, and physical safeguards we employ to protect your data and User Content when you use the www.freepdf.co website and its associated document processing tools (the “Service”).
1. Data Encryption (In Transit and At Rest)
1.1. Encryption in Transit (TLS/SSL): All communications between your web browser or mobile device and our servers are strictly encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher). We enforce HTTPS across all our domains and API endpoints, preventing man-in-the-middle (MitM) attacks and ensuring that your files cannot be intercepted while they are being uploaded or downloaded.
1.2. Encryption at Rest: When a file requires server-side processing, it is temporarily stored in highly secure cloud buckets (provided by Cloudflare R2). These buckets are protected by robust server-side encryption (AES-256 or equivalent). Access to these storage buckets is strictly limited to our automated internal microservices via securely rotated, temporary presigned URLs.
2. Ephemeral Storage & the 24-Hour Deletion Rule (Zero-Knowledge)
2.1. Stateless Processing Architecture: FreePDF operates as a primarily “stateless” application. Whenever technically feasible, certain document manipulations (e.g., merging, splitting, compressing) are executed entirely client-side (within your own browser) using WebAssembly and advanced JavaScript libraries. In these instances, your file never leaves your device and is never uploaded to our servers.
2.2. Automated Deletion Protocol: For complex operations that require server-side rendering (e.g., Office-to-PDF conversion, OCR processing), files are transferred to our isolated processing workers. We guarantee that all original uploaded files and their resulting processed outputs are automatically, permanently, and irreversibly purged from our servers within a maximum of twenty-four (24) hours.
2.3. Zero-Knowledge Processing: Our human operators, developers, and support staff do not have access to read, view, or extract the contents of your documents. We do not scan your files to build advertising profiles, nor do we use your proprietary documents to train Artificial Intelligence (AI) or Machine Learning models.
3. Secure Infrastructure and Access Controls
3.1. World-Class Hosting Providers: FreePDF is hosted on premium, ISO 27001-certified infrastructure provided by Hetzner (Germany/Finland) and Cloudflare. These providers maintain strict physical security protocols, redundant power supplies, and 24/7 onsite monitoring.
3.2. Isolated Worker Environments: Our document processing tasks are handled by a robust queuing system (Redis/BullMQ). Each conversion task is executed within an isolated, ephemeral Docker container. This sandboxed environment ensures that even if a malicious file (e.g., a PDF containing a virus) is uploaded, it cannot compromise the host server or access the data of other users.
3.3. DDoS Protection and Web Application Firewall (WAF): Our entire network is shielded by Cloudflare’s enterprise-grade Web Application Firewall (WAF) and DDoS mitigation services. This protects the Service against volumetric attacks, SQL injections, Cross-Site Scripting (XSS), and other common OWASP vulnerabilities.
4. Payment Security (PCI-DSS Compliance)
Fikirizma Media does not store, process, or transmit any sensitive credit card data on our servers. All financial transactions, subscription management, and localized tax calculations are securely handled by our Merchant of Record, Paddle.com.
Paddle is fully certified as a PCI-DSS Level 1 Service Provider (the highest level of security certification in the payment card industry). When you enter your billing information, it is transmitted directly to Paddle’s secure vaults.
5. Account Security and Vulnerability Management
5.1. Secure Authentication: User authentication is managed securely (via NextAuth), utilizing bcrypt hashing algorithms for passwords and secure OAuth 2.0 protocols for social logins (e.g., Google). We enforce strict password complexity requirements and implement rate-limiting on login endpoints to thwart brute-force attacks.
5.2. Continuous Monitoring and Patching: Our engineering team continuously monitors the Service for potential vulnerabilities. We proactively apply security patches to our underlying operating systems, frameworks, and processing libraries to mitigate emerging zero-day threats.
6. Reporting Security Vulnerabilities
If you are a security researcher and believe you have discovered a security vulnerability in FreePDF, we encourage you to disclose it to us responsibly. Please submit your findings via email to:
Security Team: [email protected]