Straight2PDF is operated by WFA Support Ltd. This page summarises the safeguards and operating practices we use to protect the platform. It should be read alongside our Privacy Policy, Terms and Conditions and Data Processing Agreement.
1. Security approach
We use reasonable technical and organisational measures designed to protect customer data, maintain service availability and reduce the risk of unauthorised access, loss or misuse. Security controls are reviewed as the service changes, and customer-facing claims are kept conservative unless they are supported by implemented controls or confirmed operating procedures.
2. Hosting and infrastructure
- Core hosting is provided in the United Kingdom by 24host.uk.
- The public website is designed to limit exposure of private application logic and non-public service files.
- Transport security controls are used where appropriate, including HTTPS enforcement and security headers.
- Private application configuration, service logic and customer file storage are kept under server-side locations outside the public web root.
- Backups and operational copies may be used to support resilience, recovery and service continuity.
3. Account and access controls
- Access to customer areas requires authenticated accounts.
- Role and permission checks are used to limit access to customer-specific data and admin functionality.
- Session cookies use security-focused settings to help reduce unauthorised access and misuse.
- Passwords are hashed and are not stored in plain text.
- Two-factor authentication is required in reviewed web/admin and mobile app sign-in flows before normal account access is granted.
- Two-factor authentication secret keys are encrypted at rest using AES-256-GCM.
- Admin and support areas apply role, customer and support-session checks so users can only access permitted company data and system tools.
4. Password and session safeguards
- New passwords must meet a minimum length (12 characters) and complexity policy (uppercase, lowercase, number and symbol required).
- Recent password reuse is checked against the last 12 passwords, and accounts can be marked for forced password change where needed.
- Known-breached-password checking is supported where configured.
- Repeated failed sign-in attempts are rate limited or locked out to reduce brute-force risk.
- Mobile/API access uses signed, time-limited access tokens and refresh-token handling after successful authentication.
5. Data protection
Customer form submissions, uploaded content and generated documents are processed to provide the Straight2PDF service. Uploaded files and generated PDFs are access-controlled through account and permission checks. We do not use customer form content for advertising. Data processing commitments are described in our DPA.
- Customer files and generated outputs are stored in private server-side storage paths rather than public website folders.
- Generated workbook/PDF outputs use safe-path checks and cleanup controls.
- Template upload validation includes file type, size, ZIP structure, unsafe path and macro checks for supported Excel template uploads.
- Customer-uploaded files (CusFiles) are encrypted at the application layer using AES-256-GCM with per-customer derived keys.
- Form submission data (FormData) stored in the database is encrypted at rest using AES-256-GCM with per-customer derived keys.
6. Monitoring, logging and auditability
We may record access logs, application logs, account activity, policy agreement records, page visit analytics where consent applies, rate-limit events, backup actions, submission workflow events and error logs to help operate, secure and improve the service. Technical logs are handled in line with our Privacy Policy.
- Sensitive administrative actions (user enable/disable/delete, 2FA resets, customer account deletion) are recorded in an immutable audit trail for GDPR Art. 5(2) accountability purposes.
7. Backups and resilience
Backup tooling supports database and customer-file backups, checksum verification, content validation, test restore, staging restore and guarded emergency live restore workflows. Where a backup encryption key is configured, backups are encrypted at rest using AES-256-GCM. Backup operation, restore testing frequency and any off-server retention arrangements should be confirmed for the relevant customer environment.
8. Incident handling
If we identify a security incident affecting customer data, we will investigate, take appropriate containment steps and notify affected customers or regulators where required by law. We maintain a formal breach register to record, track and manage data breach incidents, including the 72-hour ICO notification requirement under GDPR Art. 33.
9. Current enterprise limitations and roadmap areas
Some enterprise controls are not currently represented as standard public features or have not been independently evidenced in this website repository. These include SSO/SAML/OIDC, configurable server-side web inactivity timeout, formal SOC 2 or ISO 27001 certification, published penetration-test reports, customer-facing WAF/DDoS architecture evidence, and malware scanning integration for every upload type. We are happy to discuss these requirements for Business or enterprise customers.
10. Customer responsibilities
- Use strong passwords and keep credentials secure.
- Assign access only to people who need it.
- Keep devices used with Straight2PDF secure and updated.
- Report suspected account compromise or security concerns promptly.
11. Responsible disclosure
If you believe you have found a vulnerability, please contact support@straight2pdf.co.uk with enough detail for us to investigate, including affected URLs, steps to reproduce, potential impact and your contact details. Please do not access, alter, delete, download or disclose data that does not belong to you, disrupt the service, or perform destructive testing.
