Where are my files stored?

On hardened servers in the European Union, operated by Konomic. Files are encrypted in transit via TLS 1.3 and stored in isolated worker namespaces with strict access controls. They are automatically deleted within 1 hour of upload.

Do you train AI models on my files?

No. We never use customer documents to train AI models, internal or external. Our AI features (Chat with PDF, Summarize) process your file at request time and discard the content immediately afterward. No retention, no aggregation, no training.

Is Konomic GDPR-compliant?

Yes. All servers are located in the EU. We process personal data only as needed to deliver the service. You can request deletion of your account and any associated data at any time. We're a European company subject to GDPR and not bound by the US CLOUD Act.

SECURITY & PRIVACY

Your files are private. Period.

AES-256 encryption. EU-only servers. Auto-deletion after 1 hour. No AI training on your data. No selling to anyone. Ever.

🔒

TLS 1.3

Encrypted

🇪🇺

EU Only

DSGVO/GDPR

⏱️

1 Hour

Auto-deleted

🚫

No AI

Training

What happens when you upload a file

Encrypted upload

Your browser encrypts the file with TLS 1.3 before it leaves your device. The connection is secured with HTTPS using a Let's Encrypt certificate, refreshed every 60 days.

Isolated worker namespace

On our servers, the file is written to an isolated worker namespace with strict POSIX permissions. Only the worker that processes your specific request can read it.

Operation runs in sandbox

The requested operation (merge, OCR, compress, etc.) runs in a sandboxed Python or Node.js process. No network access, no other tenants' files visible, no shared state.

You download the result

The result is served via a signed time-limited URL. Only you (with the matching session token) can access it.

Both files auto-deleted in 1 hour

A scheduled cleanup job runs every 5 minutes and deletes any file older than 1 hour. No manual intervention possible — even our engineers can't recover deleted files.

What we never do

❌ Sell your data

We don't sell, license, or share customer files or metadata with anyone. Ever.

❌ Train AI on your files

Your documents never enter any training pipeline — ours or a third party's.

❌ Read your files

Files are processed by automated pipelines. No human reviewer ever opens your documents.

❌ Run third-party trackers

No Google Analytics, no Facebook Pixel, no third-party scripts on tool pages.

❌ Lock you in

Cancel your subscription anytime. Export your data. We don't hold your files hostage.

❌ Use US infrastructure for files

Our processing servers are in the EU. Not subject to the US CLOUD Act.

Technical details

Encryption

In transit: TLS 1.3 with modern cipher suites (CHACHA20-POLY1305, AES-256-GCM). HSTS enforced.
At rest: Files stored on encrypted ext4 volumes (LUKS2 with AES-256-XTS).
Database: PostgreSQL with TLS-only connections. Sensitive fields hashed with bcrypt or AES-256.
Passwords: User passwords stored as bcrypt hashes (cost 12). Password resets via short-lived tokens.

Infrastructure

Hosting: Hardened VPS in the EU (Germany region).
OS: Debian 12 with automatic security updates.
Reverse proxy: Nginx with rate limiting and WAF rules.
Containers: Docker Compose with isolated networks per service.
Backups: Encrypted database backups daily, retained 7 days, EU-stored.

Authentication

JWT-based sessions with 15-minute access tokens and 7-day refresh tokens
Email verification on signup
Password reset via short-lived signed tokens
Rate limiting on all auth endpoints (5 req/min per IP)

Payments

All payments processed by Stripe — we never see or store credit card data
Webhook signatures verified to prevent forgery
Subscriptions managed through Stripe Customer Portal

Compliance

GDPR (EU 2016/679) — full compliance with data subject rights
DSGVO — German implementation, equivalent to GDPR
Account deletion: full data erasure within 30 days of request
Data Processing Agreement (DPA) available for Business customers on request

Found a security issue?

We take security seriously. If you discover a vulnerability, please report it responsibly:

Email: security@konomic.io
Use our PGP key (request via email) for sensitive reports
Allow up to 90 days for investigation and disclosure

We don't currently run a paid bug bounty, but we credit responsible reporters in our security acknowledgements.

Try Konomic with confidence

EU servers, AES-256, GDPR. Files deleted after 1 hour. No tracking.

Try Konomic free About us