Version 1.0.4 | Build 2026.01.08
CLASSIFICATION: PUBLIC | DISTRIBUTION: UNLIMITED
Shadow PDF is a next-generation document utility engineered with a "Privacy-by-Design" philosophy. By fundamentally re-architecting how PDF operations are handled—shifting from server-side processing to client-side WebAssembly (WASM)—we have eliminated the most significant attack vector in modern document management: data transmission.
This report serves as a formal attestation of our security posture, detailing the mechanisms that ensure user data remains hermetically sealed within the local browser environment. It is intended for compliance officers, IT security auditors, and end-users requiring assurance of data sovereignty.
The core processing engine is compiled to WebAssembly, a binary instruction format that runs in a sandboxed execution environment within the browser. This sandbox strictly limits access to the host system and file system, ensuring that the application cannot perform unauthorized read/write operations.
Document data is loaded into a linear memory buffer allocated by the WASM instance. This memory is volatile and isolated from other browser tabs. Upon tab closure, the OS reclaims this memory, ensuring 100% data destruction.
| Attack Vector | Potential Impact | Shadow PDF Mitigation Strategy |
|---|---|---|
| MITM Attacks | Data Interception | Eliminated (No Data Transfer) |
| Server Breach | Database Leak | N/A (No Database Exists) |
| XSS Injection | Session Hijacking | Strict Content Security Policy (CSP) |
| Data Type | Definition | Storage Location | Retention Period |
|---|---|---|---|
| Content Data | PDF binaries, images, text | Client RAM (Volatile) | Session Only (0s) |
| Telemetry | Feature usage counts, errors | Aggregated Analytics | 30 Days (Rolling) |
| Local Prefs | UI State (Dark Mode) | Browser LocalStorage | Persistent until cleared |
Ingestion: File is selected via native file picker. -> Processing: File is read into ArrayBuffer. -> Execution: WASM modifications applied. -> Output: Blob URL generated. -> Destruction: Blob revoked, memory GC triggered on tab close.
Shadow PDF is a stateless application. An audit of LocalStorage reveals only non-sensitive keys:
We engage the following third-party entities. Shadow PDF retains the role of "Controller" while assigning specific "Processor" tasks to these vendors.
| Entity | Service Role | Location | Data Access Scope |
|---|---|---|---|
| Google Cloud | AI Processor | USA / Global | Text snippets only (Encrypted) |
| GitHub Pages | Content Delivery | USA | Metadata/IP (No Content Access) |
| Cloudflare | DNS / CDN | Global Edge | Traffic Metadata |
Although our architecture minimizes data risk, we maintain a strict protocol for potential vulnerabilities:
| Framework | Applicability | Compliance Status |
|---|---|---|
| GDPR (EU) | Art. 5 (Minimization) | COMPLIANT |
| CCPA (California) | Section 1798.100 | COMPLIANT |
| HIPAA (USA) | Security Rule | ALIGNED (No BAA Needed) |
| LGPD (Brazil) | Data Sovereignty | COMPLIANT |
For users in the EEA/UK, any transfer of data to the US (e.g., for AI features) is safeguarded by the EU Standard Contractual Clauses (Module 2: Controller to Processor), ensuring adequate protection levels.
By voluntarily utilizing the AI summarization features, you explicitly consent to the transmission of selected text data to jurisdictions outside your country of residence, acknowledging the "Data Privacy Framework" mechanisms.
Subject to these terms, we grant you a non-exclusive, non-transferable, revocable license to use Shadow PDF. You agree not to use the service for processing illegal content, malware distribution, or attempting to reverse-engineer the WASM binaries.
THE SERVICE IS PROVIDED "AS IS". WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WE DO NOT GUARANTEE THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.
We are not liable for failure to perform due to causes beyond reasonable control, including internet outages, strikes, or acts of God.
These terms are governed by the laws of India. Any disputes shall be resolved in the courts of Bangalore, Karnataka.
If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary.
These Terms constitute the entire agreement between you and Shadow PDF regarding the use of the Service, superseding any prior agreements.
| Version | Date | Author | Change Notes |
|---|---|---|---|
| 1.0.0 | 2025-01-01 | Shashank A N | Initial Release |
| 1.0.2 | 2025-06-15 | Compliance Team | Added AI Subprocessor Clauses |
| 1.0.4 | 2026-01-08 | Security Team | Updated Incident Response Protocol |