PDFMind

Security·Feb 14, 2026·3 min read

We're now SOC 2 Type II compliant

What it took, what changed, and why we took the long route — with AES-256 at rest, TLS 1.3 in transit, and zero data retention for enterprise.

Why SOC 2 Type II

When you upload a contract, you're trusting us with your most sensitive business data. That trust has to be provable.

SOC 2 Type II is the auditable answer. Not a self-attestation — a third party examines your controls for 6 to 12 months and reports what they found.

We just finished our Type II window. Report available on request to security@pdfpilot4u.com.

What we did

Technical controls

AES-256-GCM for data at rest (Postgres + Cloudflare R2)
TLS 1.3 for all network hops
HSM-backed key rotation every quarter
Short-lived access tokens (60-minute TTL) with refresh rotation + Redis JTI blocklist
MFA mandatory for admin accounts

Operational controls

Incident response runbook with a 4-hour RTO for critical systems
Quarterly access reviews — every employee's permissions re-approved
Mandatory security training at hire + annually
Separation of duties — deploy access ≠ prod DB access ≠ audit log read access

Data handling

24-hour default retention for uploaded files; configurable up to 90 days
Permanent deletion on request with cryptographic deletion certificates
Zero training on customer documents — contractually enforced
Regional data residency available on Business+

What's next

ISO 27001 — in progress, targeting Q3 2026
HIPAA BAA — available on Enterprise today; pursuing formal HITRUST certification
FedRAMP Moderate — evaluating feasibility for government customers

The honest part

A SOC 2 report doesn't mean you're unhackable. It means you have documented controls, tested over time, and an auditor who agrees. That's the floor — we keep pushing past it.

Questions? security@pdfpilot4u.com.

Get the next one in your inbox.

One email, every Friday. Product updates + engineering deep-dives.

Keep reading

Product

Security·Feb 14, 2026·3 min read

We're now SOC 2 Type II compliant

What it took, what changed, and why we took the long route — with AES-256 at rest, TLS 1.3 in transit, and zero data retention for enterprise.

Why SOC 2 Type II

When you upload a contract, you're trusting us with your most sensitive business data. That trust has to be provable.

SOC 2 Type II is the auditable answer. Not a self-attestation — a third party examines your controls for 6 to 12 months and reports what they found.

We just finished our Type II window. Report available on request to security@pdfpilot4u.com.

What we did

Technical controls

AES-256-GCM for data at rest (Postgres + Cloudflare R2)
TLS 1.3 for all network hops
HSM-backed key rotation every quarter
Short-lived access tokens (60-minute TTL) with refresh rotation + Redis JTI blocklist
MFA mandatory for admin accounts

Operational controls

Incident response runbook with a 4-hour RTO for critical systems
Quarterly access reviews — every employee's permissions re-approved
Mandatory security training at hire + annually
Separation of duties — deploy access ≠ prod DB access ≠ audit log read access

Data handling

24-hour default retention for uploaded files; configurable up to 90 days
Permanent deletion on request with cryptographic deletion certificates
Zero training on customer documents — contractually enforced
Regional data residency available on Business+

What's next

ISO 27001 — in progress, targeting Q3 2026
HIPAA BAA — available on Enterprise today; pursuing formal HITRUST certification
FedRAMP Moderate — evaluating feasibility for government customers

The honest part

A SOC 2 report doesn't mean you're unhackable. It means you have documented controls, tested over time, and an auditor who agrees. That's the floor — we keep pushing past it.

Questions? security@pdfpilot4u.com.

Get the next one in your inbox.

One email, every Friday. Product updates + engineering deep-dives.

Keep reading

Product

Introducing Agent Mode: one prompt, multi-tool workflows

Read

Engineering

How we got 98%+ OCR accuracy on noisy scans

Read

Research

Why PII redaction is harder than you think

Read