Security Audit
An engineering overview of PDF Toolkit's security safeguards, package auditing, and local browser sandboxing mechanics.
Outbound Data
0 KB Sent
Core Libraries
100% Audited
RAM Storage
Transient Only
Isolation
Browser Sandbox
1. Sandboxing & Memory Lifecycle
PDF Toolkit is a static Web Application. When you upload files to our web components, they are read as local arrays using JavaScript standard file readers. These buffers reside strictly inside the browser sandbox:
- Heap Isolation: Browsers isolate document heap allocation on a per-tab basis. When you navigate away from or close the tab, the JavaScript garbage collector automatically purges all processed document binary fragments.
- Zero Persistent Cache: We do not utilize IndexedDB, Cache storage, or cookies for document contents, ensuring zero persistent footprints.
2. Audited Dependencies
We rely strictly on established, open-source libraries that are extensively reviewed by the global community. These dependencies run entirely inside the client context:
pdfjs-dist (Mozilla)
Used for parsing and rendering PDF pages. Evaluates annotations, texts, viewports, and fonts locally.
pdf-lib
Handles structural mutations, metadata writes, password decryption, page extractions, and outline (bookmark) compiler trees.
3. Verifiable Network Security
You can easily audit our application yourself to confirm zero outbound network communication:
- Open the **Developer Console** (Press F12 or ⌥ ⌘ I) in your browser.
- Select the **Network** tab and check the "Preserve Log" checkbox.
- Upload your files, add bookmarks, merge pages, or decrypt passwords.
- Notice that **no outgoing HTTP POST or upload requests are registered**. All modifications proceed locally and instantly.
4. Security Compliance Standards
Since files are not transmitted to or stored on any system, PDF Toolkit is inherently compliant with:
- GDPR: No personal details or customer documents are stored or shared.
- HIPAA: Patient health records can be safely rotated, merged, or split without signing a BAA, because the data never leaves the local clinical device workstation.
- ISO 27001: Complies with corporate security policies preventing document uploads to unverified third-party cloud services.