🔒 Files never leave your device. All PDF processing happens 100% locally in your browser RAM.
Enterprise Audit Log

Security Audit

An engineering overview of PDF Toolkit's security safeguards, package auditing, and local browser sandboxing mechanics.

🌐

Outbound Data

0 KB Sent

📦

Core Libraries

100% Audited

🧹

RAM Storage

Transient Only

🛡️

Isolation

Browser Sandbox

1. Sandboxing & Memory Lifecycle

PDF Toolkit is a static Web Application. When you upload files to our web components, they are read as local arrays using JavaScript standard file readers. These buffers reside strictly inside the browser sandbox:

  • Heap Isolation: Browsers isolate document heap allocation on a per-tab basis. When you navigate away from or close the tab, the JavaScript garbage collector automatically purges all processed document binary fragments.
  • Zero Persistent Cache: We do not utilize IndexedDB, Cache storage, or cookies for document contents, ensuring zero persistent footprints.

2. Audited Dependencies

We rely strictly on established, open-source libraries that are extensively reviewed by the global community. These dependencies run entirely inside the client context:

pdfjs-dist (Mozilla)

Used for parsing and rendering PDF pages. Evaluates annotations, texts, viewports, and fonts locally.

pdf-lib

Handles structural mutations, metadata writes, password decryption, page extractions, and outline (bookmark) compiler trees.

3. Verifiable Network Security

You can easily audit our application yourself to confirm zero outbound network communication:

  1. Open the **Developer Console** (Press F12 or ⌥ ⌘ I) in your browser.
  2. Select the **Network** tab and check the "Preserve Log" checkbox.
  3. Upload your files, add bookmarks, merge pages, or decrypt passwords.
  4. Notice that **no outgoing HTTP POST or upload requests are registered**. All modifications proceed locally and instantly.

4. Security Compliance Standards

Since files are not transmitted to or stored on any system, PDF Toolkit is inherently compliant with:

  • GDPR: No personal details or customer documents are stored or shared.
  • HIPAA: Patient health records can be safely rotated, merged, or split without signing a BAA, because the data never leaves the local clinical device workstation.
  • ISO 27001: Complies with corporate security policies preventing document uploads to unverified third-party cloud services.
Last audited: June 20, 2026Audit Status: Passed (100% Client-Side Isolated)