Security — Formatly

01 / TRANSPORT

HTTPS, always

Uploads and downloads happen over TLS. No plaintext file content ever touches the network.

02 / RETENTION

Auto-delete in 1h

Every upload, successful or not, is purged an hour after arrival. Nothing stays.

03 / ISOLATION

Per-job workers

Each conversion runs in its own ephemeral container. Nothing from one job can touch another.

04 / ACCESS

Signed URLs only

Your download link is a short-lived signed URL. It expires with the file.

05 / HUMANS

No one reads them

There is no UI for us to browse uploaded files. Access is limited to on-call engineers for debugging, audited, and rare.

06 / HOSTING

Google Cloud

Compute and storage run on Google Cloud Platform, which handles physical security, network-layer DDoS mitigation, and patching.

What happens to your file, minute by minute

T + 0s

Browser uploads over HTTPS. File is written to a signed, time-boxed Cloud Storage bucket.

T + 1–5s

Task queued. A fresh worker container picks it up.

T + 5–60s

Conversion runs in the isolated worker. Output is written back to the same bucket.

T + ~60s

You get a signed download URL. It's good for a few minutes.

T + 1h

Bucket lifecycle rule deletes the source and output files. The worker container is already gone.

What we don't do

✗ Keep copies past the 1-hour window.
✗ Read, index, or classify file content.
✗ Use your uploads as training data.
✗ Share files with ad networks, analytics vendors, or anyone else.
✗ Build user profiles tied to your filenames or content.
✗ Log file contents anywhere we can read later.

Reporting a vulnerability

If you've found something, please tell us before you tell anyone else. Email security@formatly.app with reproduction steps. We acknowledge within 24 hours and aim to ship a fix quickly. We don't run a paid bounty, but we will publicly thank you (or not — your choice) in the release notes.