Die tatsächlichen Schutzmaßnahmen hinter Arawa PDF — nicht die Marketingversion.
Security on Arawa PDF is built around a single design rule: the shorter the time your files spend on our servers, and the smaller the number of outside parties that touch them, the safer they are. Every control below exists to defend that rule.
Every request — uploads, downloads, API calls, account actions — is protected with HTTPS. We accept no plaintext HTTP at any layer. TLS certificates are issued and renewed automatically by Let's Encrypt via our Caddy reverse proxy.
Every uploaded file is encrypted at the object-storage layer. A stolen disk image cannot be read without the key infrastructure. The database is encrypted at rest at the volume level.
A background sweeper runs every few minutes and permanently removes any uploaded file whose 1-hour TTL has expired. The same job runs for free and Premium accounts — there is no "keep my files" override. We do not keep backups beyond the TTL window.
Passwords are hashed with Argon2id, the current best-practice algorithm and the OWASP-recommended default. Stolen hashes cannot be reversed to recover plaintext passwords in any practical timeframe.
Every account can enable TOTP-based 2FA from /user/security. Compatible with any standard authenticator app (Google Authenticator, 1Password, Authy, Bitwarden, etc.). We do not transmit one-time codes over SMS.
Every endpoint is rate-limited per IP at the API gateway. Abusive clients are throttled to 429 responses long before they can affect other users.
Every uploaded file's first bytes are checked against the declared MIME type. A file claiming to be a PDF must actually start with the PDF magic header. Mismatched files are rejected at the gateway, before they reach any processing engine.
Strict CSP headers prevent injected scripts from running. HSTS with preload tells browsers to refuse plaintext HTTP to arawapdf.com permanently. Both are verified in browser DevTools on every response.
Each tool family (PDF engines, OCR, conversion, AI text-extraction) runs in its own container as a non-root user with limited filesystem access. A bug in one tool cannot escape into another.
These tools run entirely in your browser using pdf-lib and PDF.js. Open your browser’s Network tab while you use any of them — you will see no upload to our servers. We can’t see, store, or have your file because it never leaves your machine.
We use a small, named list of outside parties to run the Service. Each one is invoked only when you take a specific action that needs them.
| Hetzner Online GmbH | Hosts the servers and storage (Ashburn, Virginia data centre). |
| Stripe, Inc. | Receives billing data when you subscribe. We never see or store payment-card numbers. |
| Anthropic PBC | Receives extracted text only when you click Summarise or Translate. Not used to train models. |
The full list, including what we plan to add as we grow, is in the Privacy Policy.
If you believe you've found a security vulnerability, please report it privately to security@arawapdf.com. Please don't open public GitHub issues, post on social, or run aggressive scans against the live site. We will acknowledge reports within 2 business days and credit researchers (with permission) in this page when fixes ship.