We deliver Document Engine as a Linux container image for your own deployment in any compatible infrastructure, including public cloud providers (AWS, Azure, Google Cloud, and others).

We have no access to on-premises deployments of Document Engine, including documents, annotations, comments, or any other data/metadata. For Managed Document Engine (which is hosted within our infrastructure on AWS cloud), tenant instances are isolated on the infrastructure level. The legal terms regarding our processing of your data are defined in our Master Service Agreement.

Document Engine requires an internet connection to perform regular license checks, unless you’ve been provided a license for offline activation as part of your purchasing agreement. For more information, refer to our documentation regarding Document Engine product activation.

Data Access

There are three ways Document Engine can be accessed:

  1. Your backend uses the Document Engine API to get full access to all documents, annotations, and other data stored on the server. This API is protected by a configurable API access token.

  2. Your backend signs JSON Web Tokens (JWTs) asserting that the holder of such a token is allowed to access a given document. It then passes them to your client apps using PSPDFKit for Android, iOS, and Web. Your apps then pass it to Document Engine to prove they have access to the claimed document.

  3. Your team uses the optional dashboard, which gives access to all documents uploaded to Document Engine. The optional dashboard is protected with a configurable username and password.

To limit the possible attack surface area, you can disable the optional dashboard completely by setting the username and password configuration options to empty strings, or by not setting them at all.


We strongly recommend following these practices to improve security and privacy from a network perspective:

  1. Enable HTTPS. Document Engine expects TLS termination to be implemented on the infrastructure level using a load balancer or reverse proxy with HTTPS support in front of Document Engine containers. Public cloud vendors offer different managed options for TLS termination (e.g. AWS Application Load Balancer). When running on Kubernetes, TLS termination can be handled in an Ingress resource.

  2. Disable dashboard and Document Engine API access from the internet. Document Engine serves its internal API used by PSPDFKit for Web, the Document Engine API, the Document Engine Client API, and the dashboard on the same port. However, only the internal API needs to be exposed to the internet so that your application using PSPDFKit for Web can access it. To achieve this, configure your load balancer or reverse proxy so that only HTTP requests that target paths starting with /i are allowed. In addition, if you also use the client API in your application, make sure to allow paths that start with /documents.

  3. Unless your application specifically requires it, disable document creation from a URL by setting ALLOW-REMOTE-DOCUMENTS to false. If your application uses this feature, exercise the principle of least privilege by configuring your network firewall or container service to prevent URL resolution from untrusted sources.

Data Encryption

Document Engine fully supports encryption in transit and at rest, depending on your underlying platform.

Encryption in transit is achieved by enabling HTTPS. You can read more about it in the previous section.

Document Engine delegates encryption at rest to the underlying platform, specifically encryption for volumes and backups of your Document Engine containers, database instances, and object storage.