Uploads and downloads happen over TLS. No plaintext file content ever touches the network.
Every upload, successful or not, is purged an hour after arrival. Nothing stays.
Each conversion runs in its own ephemeral container. Nothing from one job can touch another.
Your download link is a short-lived signed URL. It expires with the file.
There is no UI for us to browse uploaded files. Access is limited to on-call engineers for debugging, audited, and rare.
Compute and storage run on Google Cloud Platform, which handles physical security, network-layer DDoS mitigation, and patching.
If you've found something, please tell us before you tell anyone else. Email security@formatly.app with reproduction steps. We acknowledge within 24 hours and aim to ship a fix quickly. We don't run a paid bounty, but we will publicly thank you (or not — your choice) in the release notes.