Security at SimplyFill

All customer data is encrypted at rest with AES-256 via the underlying storage layer (AWS S3 server-side encryption with managed keys). All data in transit uses TLS 1.3; older TLS versions are disabled at the load balancer.

API keys are hashed before storage; we cannot recover the plaintext after issuance. The dashboard exposes a key once at creation, then never again — rotate by issuing a new key and revoking the old.

We store the minimum required to run the service:

• Template PDFs you upload — kept until you delete them.
• Field mappings — your definitions of which JSON keys fill which PDF fields.
• Generated PDFs — retained for 30 days by default so you can re-download via the API, then automatically purged. Enterprise plans can configure shorter retention (down to 0 — generate and forget).
• Request metadata — timestamps, template IDs, status — retained for 90 days for debugging and billing.

We do not train models on your data. We do not sell, share, or aggregate your PDF contents.

• HIPAA: We sign BAAs with enterprise customers. Email security@simplyfill.app to request the BAA template and the list of technical safeguards we implement.
• GDPR: Standard contractual clauses apply via our Data Processing Addendum — email security@simplyfill.app to request a copy.

Report security issues to security@simplyfill.app. PGP key available on request.

We commit to acknowledge reports within one business day and to share remediation status within five business days. We do not pursue legal action against researchers acting in good faith under standard responsible-disclosure norms (no data exfiltration, no service degradation, no third-party impact).