SECURITY

Architectural privacy, not a privacy promise.

Most online file tools promise to be private. Vastiko cannot be otherwise: there is no upload step, no server-side storage, no decryption pipeline. Verify it yourself in 30 seconds.

Last updated: 2026-04-25 · Version 1.0

The 30-second verification

Open Vastiko's Edit PDF tool.
Open your browser's DevTools (F12 or right-click → Inspect).
Switch to the Network tab. Tick 'Preserve log'.
Drop a PDF onto the dropzone.
Watch the Network panel. There is no POST upload, no PUT, no WebSocket carrying your file. The only requests are static asset fetches (HTML, CSS, JS) and (if enabled) anonymous analytics pings.

The same is true on every Vastiko tool. You can verify the privacy claim yourself — you don't have to take our word for it.

How each tool stays local

Edit PDF

Industry-standard PDF rendering and manipulation runs entirely in browser memory.

Compress PDF

Pages are re-rendered and re-compressed locally — no upload, no server-side processing.

Convert (PDF↔Image, PDF↔Word/Excel/PPT)

Format conversions are performed in-browser using modern browser APIs.

Cryptography (planned for Unlock PDF / Protect PDF)

Password-protected operations are on our roadmap. When they ship, they will use:

Web Crypto API (built into Chrome, Safari, Firefox, Edge) for AES-256, AES-128, RC4-128, and RC4-40 — covering the full PDF security-handler spec.
WebAssembly modules for parsing the PDF security handler, executed in the browser sandbox.
No server transmission: the password is never sent to us. It exists in browser memory only for the duration of the operation, then is overwritten.

Status: the Unlock PDF and Protect PDF tools are currently in design. Until they ship, our cryptography surface is limited to TLS termination at the hosting provider — there is no application-level crypto to audit.

What attackers cannot do

Because file data never reaches our servers:

A breach of our hosting provider cannot expose your files. There is no file storage to breach.
A subpoena cannot compel us to hand over your files. We don't have them and never did.
A malicious actor cannot exfiltrate user content from us. The data is in your machine, not ours.

Code obfuscation & transparency

The JavaScript bundle is minified and obfuscated. This is a deliberate choice to protect Vastiko's intellectual property — to make it harder for clones to copy our work — and it does not compromise the privacy guarantee. Privacy is verifiable from runtime behavior, not source code: open DevTools → Network and confirm no file upload happens. The architecture (everything in your browser) is what makes Vastiko private; the obfuscation just protects what we built.

If you spot a security issue or any behavior that contradicts these claims, please report it to info [at] vastiko [dot] com. We treat such reports as priority.

Hosting infrastructure

The site is delivered as static HTML, CSS, and JavaScript from a cloud-hosted web server. There is no application backend, no user database, and no server-side file processing pipeline. The privacy guarantee comes from the architecture, not from any specific provider or region — your files would not reach our servers regardless of where those servers happen to live.

Reporting vulnerabilities

We're a small team and don't run a formal bug bounty yet, but we do appreciate responsible disclosure. Email info [at] vastiko [dot] com with reproduction steps. We aim to acknowledge within 48 hours and credit you publicly if you wish.

Compliance scope

Because we don't process personal data tied to identifiable users on the server, our GDPR and CCPA exposure is minimal — but the privacy guarantees we make are stronger than what compliance requires. See the privacy policy for details.