Security & Infrastructure

Last updated: March 2026 | Enterprise-Grade Security Documentation

PDF Guroovy implements enterprise-grade security measures to protect your files and data. This document details our infrastructure, encryption, and security practices.

1. Encryption & Data Protection

Encryption at Rest

AES-256 Encryption

All PDF files and documents stored on our servers are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), the same military-grade encryption used by governments and financial institutions.

Implementation: Each file is encrypted with a unique encryption key derived from your account credentials using PBKDF2.

Encryption in Transit

TLS 1.3 Protocol

All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest version of the Transport Layer Security protocol.

Certificate: Valid SSL/TLS certificate from DigiCert, ensuring domain verification and HTTPS encryption.

Additional Encryption Layer

Fernet Symmetric Encryption

Sensitive metadata (file names, user settings) are encrypted using Fernet, which provides authenticated encryption and prevents tampering.

Key Rotation: Encryption keys are rotated quarterly to maintain security.

2. Infrastructure & Hosting

Data Centers

Primary Data Center: OVH VPS (European Union) Location: Strasbourg, France Region: EU-Protected Compliance: GDPR Article 32 compliant Redundancy: 3-way replication across locations

Storage Architecture

Primary Storage: OVH VPS with RAID-10 disk configuration for fault tolerance
Object Storage: AWS S3 (EU-WEST-1 region) for long-term backup and archive
Database: PostgreSQL 14+ with automated daily backups
Backup Redundancy: Multiple geographic locations with automated failover

Network Security

DDoS protection via Cloudflare Enterprise
Web Application Firewall (WAF) with OWASP Top 10 protections
Rate limiting to prevent brute force attacks
IP whitelisting for admin access
VPN requirement for staff access to production systems

3. Access Control & Authentication

User Authentication

Multi-Factor Authentication (MFA)

Business plan users can enable two-factor authentication (2FA) using TOTP apps like Google Authenticator.

Backup Codes: 10 backup codes provided for account recovery if authenticator is lost.

Password Security

Minimum 12 characters (uppercase, lowercase, numbers, special characters)
Passwords hashed using bcrypt with 12-round salt
No password history requirements
Session timeout: 24 hours of inactivity

Staff Access Control

Role-Based Access Control (RBAC)

PDF Guroovy staff access is strictly controlled through role-based permissions:

Admin: Full system access with audit logging
Support: View-only access to user information for support
Developer: Database and code access with logging
Ops: Infrastructure management with change tracking

Audit Logging

All admin actions logged with timestamp, actor, action, and result
User login attempts (successful and failed) recorded
File access logs showing who accessed which files and when
Data export requests logged with approval workflow
Audit logs retained for 2 years for security investigations

4. File Security & Data Handling

Upload Scanning

Malware Detection

All uploaded files are scanned for malware using ClamAV antivirus engine before storage.

Suspicious files are quarantined and user is notified. Confirmed malicious files are deleted and security team is alerted.

File Isolation

Each user's files stored in isolated encrypted containers
Cross-user access is impossible due to encryption and database isolation
File sharing uses time-limited, single-use tokens that expire after 30 days

Automatic Purging Schedule

DELETED FILES: - Immediate soft-delete (marked as deleted, not removed) - Hard-delete after 30 days (recoverable from backup) - Permanently purged from all backups after 90 days INACTIVE ACCOUNTS: - No activity for 90 days triggers account review - User notified 14 days before purge - Automatic data deletion 90 days after notification - Billing records retained for 7 years per tax law INACTIVE SESSION DATA: - Session tokens expire after 24 hours - Temporary files in upload queue deleted after 6 hours

5. Vulnerability Management

Security Audits

Internal Audits: Monthly security reviews of codebase and infrastructure
External Audits: Quarterly penetration testing by third-party security firm
Code Reviews: All production code reviewed for security issues before deployment
Dependency Scanning: Automated scanning of dependencies for known vulnerabilities

Vulnerability Disclosure

Responsible Disclosure Program

If you discover a security vulnerability, please report it responsibly:

Email: security@guroovy.tech
Response Time: 24 hours initial response, 7 days remediation plan
No Public Disclosure: Please do not disclose the vulnerability publicly until we have patched it
Bug Bounty: Significant vulnerabilities may qualify for rewards

6. Compliance & Certifications

GDPR Compliant ISO 27001 Certified SOC 2 Type II CCPA Compliant HIPAA Ready

Compliance Details

GDPR: Full compliance with data protection regulations for EU residents
ISO 27001: Information security management system certified by DNV
SOC 2 Type II: Security, availability, and confidentiality controls audited
CCPA: California Consumer Privacy Act compliance for US users
Data Minimization: We collect only data necessary for service provision

7. Incident Response

Security Incident Procedures

Response Protocol

Detection: Automated alerts and manual monitoring detect incidents
Containment: Affected systems isolated within 15 minutes
Investigation: Forensic analysis begins immediately
Notification: Affected users notified within 24 hours if their data exposed
Remediation: Systems restored from clean backups
Post-Mortem: Root cause analysis and preventive improvements

Data Breach Notification

In the unlikely event of a data breach:

Affected users notified within 24 hours via email
Regulatory authorities notified within 72 hours if required by law
Public statement published within 48 hours with incident summary
Complimentary credit monitoring offered if personal data exposed

8. Third-Party Security

Service Provider Security Requirements

Stripe (Payments): PCI-DSS Level 1 certified, no card data stored by us
SendGrid (Email): SOC 2 Type II certified, encrypted data transmission
Google Analytics: Anonymized data only, opt-out available
AWS S3 (Backups): Encrypted object storage with access logging

All third parties are contractually required to maintain security standards and are audited annually.

9. Physical Security

Data Center Security

OVH data center: 24/7 physical security with camera surveillance
Biometric access control for server room entry
Fire suppression systems (FM-200, not water-based)
Redundant power supplies with UPS and diesel generators
HVAC systems with automatic temperature and humidity monitoring
Video surveillance with 90-day recording retention

10. Disaster Recovery & Business Continuity

Backup & Recovery

BACKUP SCHEDULE: - Hourly incremental backups (kept for 24 hours) - Daily full backups (kept for 30 days) - Weekly full backups (kept for 90 days) - Monthly full backups (kept for 1 year) RECOVERY TIME OBJECTIVE (RTO): 4 hours RECOVERY POINT OBJECTIVE (RPO): 1 hour All backups encrypted and stored geographically separate.

Failover Procedures

Database failover: Automatic, less than 5 minutes downtime
File storage failover: Automatic via S3 replica
Application failover: Manual, less than 30 minutes downtime
Quarterly disaster recovery drills conducted

11. Security Contact

For security concerns and vulnerability reports:

Email: security@guroovy.tech
Response Time: 24 hours guaranteed
PGP Key: Available on request for encrypted communications

PDF Guroovy security practices are continuously reviewed and updated to address emerging threats. This document reflects our security posture as of March 2026.