Link Search Menu Expand Document

HIPAA-Compatible Security Options

To process sensitive data in a HIPAA-compatible manner, adjust the following settings:

  1. Enable Strict API Logs mode. On the Account Security page, switch to the API Logs tab and enable Strict API Logs mode. This sets PDF.co to automatically redact all input and output links and data from API logs.
  2. Restrict account access to your IP addresses only. On the Account Security page, switch to the IP Allowlist tab, enable and edit the IP Allowlist, and set the IP addresses of your application or server to limit access to your account from these IP addresses only.
  3. Encrypt your documents before sending them to PDF.co (using PDF encryption). To enable PDF.co to read your password-protected PDFs, set the password parameter to the PDF password (supported by almost all endpoints).
  4. Encrypt your files in your app with strong AES-256 encryption before sending them to PDF.co. To allow PDF.co to read strongly encrypted files, set user-controlled data decryption options via the profiles parameter, as described here.
  5. Configure PDF.co to encrypt output files with AES-256 encryption. To set PDF.co to encrypt output files, set user-controlled data encryption options via the profiles parameter, as described here.
  6. Set a faster expiration for output files. Set the expiration parameter to 1 (minute) or even less to ensure the file link is disabled within 1 minute. By default, files are removed in 60 minutes (1 hour).
  7. Alternatively, add code to your app to delete the output file via the API. Use the file/delete endpoint to forcibly remove the output file once it is no longer needed.
  8. Avoid using the cache: prefix with any input links, if applicable.
  9. Refrain from using links from Google Drive, Dropbox, or similar free services. Instead, utilize the built-in secure PDF.co files storage to store your input files, such as PDF templates and images. Files from this storage cannot be accessed outside the API.

We also offer an on-premise version of the PDF.co API, which can be run on your own server with your local or private cloud storage. Contact us to request a quote.