Security
Your documents contain sensitive data. Here is how ParseFlow ensures they are processed securely and deleted promptly.
Encryption at Rest & In Transit
All uploaded documents and extracted data are encrypted using AES-256 at rest. Data in transit is protected with TLS 1.3. We enforce HSTS with preload on all endpoints.
Data Retention & Auto-Deletion
Uploaded documents are automatically deleted within 24 hours of processing. Free tier playground files are deleted immediately after extraction. Pro accounts can configure custom retention periods.
GDPR Compliance
ParseFlow is fully GDPR-compliant. We provide data export, deletion on request, and a Data Processing Agreement (DPA) for all paying customers. Documents are processed in EU-region servers when available.
Secure File Processing
Documents are processed in isolated sandboxed environments. No file content is logged, cached, or used for model training. Each extraction request runs in its own container.
API Authentication
All API requests require authentication via API keys. Keys are generated with cryptographic randomness and can be rotated or revoked at any time from the dashboard.
Rate Limiting & Abuse Prevention
API endpoints are rate-limited per key and per IP. File size limits are enforced per plan. Suspicious upload patterns trigger automatic review.
Security Headers
Strict Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, and Referrer-Policy headers protect against XSS, clickjacking, and injection attacks.
Infrastructure
Hosted on Vercel's globally distributed edge network with SOC 2 Type II compliance, automatic failover, and 24/7 monitoring. DDoS protection is active on all endpoints.
Report a Vulnerability
If you discover a security vulnerability, please report it via security@parseflow.dev. We respond to all reports within 48 hours.