At Filecheck, we understand that your files, designs, and preflight reports are highly sensitive intellectual property. Our platform is built from the ground up to guarantee data isolation, minimize retention, and ensure that no file is ever exposed via static or public-read URLs.
This document details our security practices, infrastructure architecture, and data protection controls.
1. DATA ARCHITECTURE: WE ARE NOT A CDN
Unlike general-purpose upload widgets or Content Delivery Networks (CDNs), Filecheck is not a public storage repository.
- No Static or Public-Read Links: By default, no file processed or stored by Filecheck is exposed via static or unauthenticated public-read URLs. All resources are kept in private, non-public storage buckets.
- Authenticated S3 Signed Requests: Every single customer file, preflight report, or visual soft-proof is secured behind private AWS S3 buckets. Access is gated strictly through temporary, cryptographically signed requests (presigned URLs) with short-lived expiration windows (typically expiring within minutes).
- Zero Leak Vector: Since there are no static, public URLs for your uploads, malicious third parties cannot enumerate, scan, or guess files or reports. Once a signed request expires, the access token becomes completely invalid, preventing any subsequent access.
2. DATA MINIMIZATION & ZERO-RETENTION PIPELINE
We believe the most secure data is the data we do not keep. We have designed Filecheck to function as a stateless validation proxy:
- Sovereign BYO Storage (Zero-Retention): When using our “Bring Your Own Storage” (BYOS) configuration, Filecheck acts strictly as a secure validation proxy. Files are sent to our isolated execution workers, analyzed, repaired/optimized according to your preflight rules, immediately uploaded directly to your own storage (e.g., your Amazon S3, Google Cloud Storage, or private DAM), and then completely purged from our transient processing servers.
- Transient Processing Logs: Once a preflight job is completed, any temporary scratch files created during PDF extraction, colorspace conversion, or rendering are instantly erased.
- Minimal Metadata Retention: We only store the structural metadata reports (such as page count, size, DPI, and pass/fail statuses) required to populate your dashboard and charge credits.
3. ENCRYPTION & DATA PROTECTION
We apply rigorous encryption standards both when data is moving and when it is stored:
Encryption in Transit
- All API requests, dashboard interactions, and widget uploads are encrypted using TLS 1.2 or TLS 1.3 (HTTPS) with strong cipher suites.
- Unencrypted HTTP connections are automatically redirected to HTTPS.
Security at Rest (Encryption at Rest)
- All metadata, configuration schemas, and temporary processing databases are encrypted at rest using AES-256 encryption keys managed via AWS Key Management Service (KMS).
- Any transient storage volumes used during file processing are fully encrypted with AES-256 at the block storage layer.
4. INFRASTRUCTURE & AWS DATACENTER LOCATION
Our entire infrastructure is hosted on Amazon Web Services (AWS), leveraging the physical and network security standards of the world’s leading cloud provider.
- Datacenter Location: All primary servers, serverless compute functions, and storage buckets are located exclusively in the AWS EU-Central-1 (Frankfurt, Germany) region.
- Data Sovereignty: Hosting our systems in Frankfurt ensures that your data remains within the European Union, complying fully with EU data processing standards.
- Tenant Isolation: Preflight jobs run in isolated, containerized environments. A file processed for one customer cannot access the execution space, memory, or storage allocated to another customer.
5. GDPR COMPLIANCE & EU DATA SOVEREIGNTY
Filecheck is fully compliant with the General Data Protection Regulation (GDPR). Because our parent entity and datacenter are located within the European Union, data protection is embedded directly into our legal and operational design:
- EU-Based Ownership: Filecheck is owned and operated by Print.App ApS, a registered Danish corporation (CVR: 45469808) based in Copenhagen, Denmark.
- Data Sovereignty (No Transfer Risks): Our infrastructure is hosted entirely in Frankfurt, Germany with automated backups in Stockholm, Sweden. Your customer uploads and report data never leave the EU.
- Data Processing Addendum (DPA): We offer a standard Data Processing Addendum (DPA) incorporating Article 28 GDPR requirements for our business and enterprise clients.
- Data Subject Rights Support: We provide automated and manual mechanisms to assist customers in fulfilling their users’ data subject rights (access, rectification, and erasure/deletion).
6. NETWORK SECURITY & COMPLIANCE
- No Persistent VM Instances: Filecheck runs on AWS serverless compute engines (AWS Lambda / AWS Fargate). Because there are no long-lived, open-port virtual machines, the surface area for server intrusions or target exploits is minimized.
- Firewalls & Protection: AWS Shield and AWS WAF (Web Application Firewall) protect our APIs against Distributed Denial of Service (DDoS) attacks, SQL injections, and cross-site scripting (XSS).
- Payment Compliance: Filecheck uses Stripe for subscription and credit billing. Filecheck never stores or transmits credit card numbers. Stripe is certified as a PCI DSS Level 1 Service Provider.
If you believe you have discovered a security vulnerability or have questions about our security controls, please contact our team immediately:
- Security Email: filecheck@print.app
- Please provide detailed steps to reproduce the issue, and we will prioritize investigation and remediation.