Why is DocFly Secure?
At DocFly, our reputation relies on providing all our users with an online service that is secure and private.
We have implemented a range of technical safeguards and internal policies, while complying with all applicable legal obligations, to deliver a secure service.
Commonly asked questions and specific measures to safeguard the service are described in detail below.
Security Questions & Answers
Who can view my files?
Only you can view your files.
All your files are uploaded via an encrypted network to Amazon Web Services (AWS) Simple Storage (S3) in Ireland. Within AWS S3, the files are configured such that they are only accessible to the user who uploaded the file. Accordingly, a third-party will not be able to access the file unless they are able to access your device. This means that while editing a PDF, if you share your URL with a third party, they will not gain access to the file. Of course, third parties will have access if you explicitly share the file by creating a shareable link that makes your file public.
Can anyone from DocFly view my file?
No, DocFly staff are prohibited from accessing your files.
DocFly staff may only access your file if you provide your explicit permission, or if there is a legal obligation to do so (for example, due to a court order). This measure is both a regulatory obligation (such as the Swiss Federal Act on Data Protection which requires privacy by design) and an internal policy.
To maintain maximum security, access to the company's Amazon S3 account (where all uploaded and edited files are stored) is limited to DocFly's founder and lead developer.
If I delete my file, can it be recovered?
No, deleting your file via DocFly's user interface immediately and permanently deletes the underlying file stored on Amazon S3.
As one of the largest online document services in the world, DocFly processes thousands of files each day. In order to minimize both its costs and environmental footprint, all files deleted from within the application are immediately deleted in Amazon S3. If you are concerned regarding the privacy of your file, simply delete it using our interface. Once deleted, it cannot be recovered.
How do you protect my files and data from hackers?
DocFly employs a range of measures to ensure data security. Measures include the use of complex URLs, encryption, software development best-practices and network security.
While editing your file you may notice that DocFly automatically generates a complex URL. Beyond preventing access to the file directly, this is an additional layer of security that prevents third parties from guessing the URL of your file. Other measures, such as the use of encryption (HTTPS / SSL), ensures all data transfers to and from the service are confidential. Passwords for logging into the service are also encrypted before they are stored on our database. Software development best-practices are used in order to prevent code injection attacks. Finally, DocFly employs CloudFlare, a leading provider of network security, to mitigate against DDoS attacks.
Where are my files and data stored?
Your files and account data are stored on Amazon Web Services (AWS) Simple Storage (S3).
In order to maximize security, DocFly does not use any in-house servers. Instead, the company uses Amazon data centers, which have been accredited under: ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
Further details can be seen from https://aws.amazon.com/security/
Encrypted Data Transfers
DocFly encrypts all data that is transferred between users and its service. This means that no other party can read these data transfers as they are scrambled. To verify your data is being encrypted, most browsers include a padlock icon to the left of the DocFly URL. Clicking on the padlock will reveal details such as the independent security certificate.
Restricted File Access
Files uploaded to DocFly can only be seen by the same device that uploaded them (even on the free tier). This means that sharing the URL while using the online PDF editor will not allow another device to access the same file. Beyond restricting file access to a specific device, DocFly also uses complex URLs to make it difficult for third-parties to gain access to a file by guessing a URL.
Software Development Best Practices
To ensure the integrity of your data, DocFly employs software development best practices. For example, the service does not allow any code to be injected to its servers. This avoids the issue of hackers injecting malicious code that may harm the service. Furthermore, all passwords and other sensitive data are encrypted before they are stored, ensuring they remain confidential even in the unlikely event of a data breach.
In order to harm a service, hackers may choose to deliberately overwhelm our bandwidth by sending many network requests. This is known as a DDoS attack. In order to defend against this scenario, we use CloudFlare, a world-leading provider of DDoS mitigation and network security.
To minimize the risk of data breaches, login access to user data and files (via third-party services such as Amazon Web Services and Heroku) is restricted to a single individual: DocFly's founder and lead developer.
As described above, all files are stored on Amazon's data centers in Ireland. In order to delete a file, simply delete it via the user interface. The underlying file held in Amazon's data centers is deleted immediately and cannot be recovered.
Data Protection Regulations
As DocFly is based in Switzerland, the company complies with all Swiss data protection laws (such as the Swiss Federal Act on Data Protection). In specific markets, the company also complies with global regulations such as GDPR in the European Union and the United Kingdom and CCPA in California.
As a result, DocFly is required to design and deliver a secure service that minimizes the potential for data breaches to the maximum extent possible. This is known as "privacy by design". Beyond designing a secure experience, the company is also required to only collect personal data that is absolutely necessary to provide the service. This is known as "privacy by default".