Security & data handling

Architecture

Authenticated clients talk to a Hono API on Cloudflare Workers. PDF bytes are stored in Cloudflare R2; job state and credits live in Cloudflare D1. Translation work is processed asynchronously via Cloudflare Queues. A separate translation HTTP service (for example on Cloud Run or Modal) receives presigned GET/PUT URLs and calls back to the Worker when a job completes.

Transport and access

Production browser traffic to your deployed site and API should use HTTPS (TLS). Presigned URLs are used for direct client uploads to R2 and for the translation service to read originals and write translated objects. Treat presigned URLs as secrets until they expire (default signing window is configured in the API Worker).

Sign-in uses Melody Auth (hosted OAuth/OIDC). The browser stores tokens for Melody and sends Authorization: Bearer to the DocTranslate API; the API verifies JWTs against Melody's JWKS.

Billing

Stripe Checkout processes card payments; the Worker stores Stripe customer ids and credit ledger rows, not full payment card numbers.

Realtime

Pusher Channels delivers document status updates to a private channel scoped per user id. The Worker authorizes channel subscription server-side.

Webhooks and integrations

Completion callbacks from the translation service use a shared Bearer secret. Optional user-configured outbound webhooks and Slack URLs receive signed JSON from the Worker when you enable integrations—review onward transfer risk for your security packet.

Logging

The API avoids logging raw presigned URLs and redacts long URL-shaped strings in error paths where upstream services return verbose bodies. Cloudflare observability may still capture request metadata per your account settings.

Retention and deletion

Automated deletion is off by default. Set DOCUMENT_RETENTION_DAYS and/or INTEGRATION_LOG_RETENTION_DAYS on the Worker to enable a daily scheduled purge of old completed or failed documents (and their R2 objects) or integration delivery logs. R2 lifecycle rules in the Cloudflare dashboard remain an additional control.

Account deletion is POST /api/user/delete with a valid access token; it removes app rows, integration settings, and objects under your R2 prefix, then calls Melody's S2S API when configured to remove the identity record. For a portable JSON snapshot first, use GET /api/user/data-export.

Details for end users: Data handling FAQ.

Vendor security references

• Cloudflare trust hub
• Stripe security documentation
• Pusher Channels security

What we do not claim

SOC 2 Type II and similar attestations apply only if your organization completes an audit and receives a report. This page describes technical wiring, not a certification.

Subprocessors and privacy

See the Subprocessors and Privacy policy, the Cookie notice, and related legal pages for customer-facing disclosures.

Enterprise / DPA

For procurement, security questionnaires, or a Data Processing Agreement, contact your account or legal contact for your DocTranslate deployment. This repository does not publish a generic DPA template.