\documentclass{security}

Security is not
an add-on.

Running user-supplied LaTeX safely is a hard problem. Sandboxing, shell escape prevention, and ephemeral file handling are built into the compilation pipeline — not bolted on after the fact.

Sandboxed execution

Every job runs in an isolated container, torn down after completion.

Ephemeral compilation files

Compilation source and PDF are deleted after processing. Project files you choose to save remain in your account.

Network isolation

Workers have no outbound internet access during compilation.

Shell escape blocked

-no-shell-escape enforced. Arbitrary code execution is prevented.

\section{Isolation}

Isolated per job, torn down after

Every compilation runs inside its own isolated container. Workers share no file system state, no environment variables, and no in-memory data between jobs — regardless of which user or API key submitted them.

After the job completes, the container is destroyed. There is no residual state that a subsequent job could access. Each compilation starts with a clean slate.

Shell escape is permanently disabled via -no-shell-escape. LaTeX macros cannot spawn shell commands, access the file system outside the sandbox, or exfiltrate data through TeX primitives.

sandbox boundary

LaTeX source (input, read-only)

TeX Live — all 4 engines

Compiled PDF (in memory)

Standard TeX packages

blocked at boundary

File system access

Outbound network requests

Shell command execution

Process spawning

Environment variable access

Persistent storage writes

\section{Data lifecycle}

What happens to your LaTeX

Your source and output exist only for the duration of the compilation job. Here is the exact sequence.

Received

Source arrives

LaTeX transmitted over TLS. Input size validated against your plan limit before any processing begins.

Queued

Job enqueued

Placed in an isolated queue. No shared worker state between jobs from different API keys or users.

Compiling

Sandboxed compile

Isolated container allocated. TeX Live runs with -no-shell-escape and no network access.

Returned

PDF delivered

Compiled PDF returned via response body or short-lived URL. Your data leaves our infrastructure.

Destroyed

Files deleted

Source files and compiled output are deleted from disk and memory after processing.

\section{Access control}

Keys, tokens, enforcement

API keys are hashed before storage. JWT sessions expire after 24 hours. Every request is rate-limited and validated against your plan limits before reaching a worker.

API key storageSHA-256 hash only. The raw key is shown once on creation and never stored by us.

Key visibilityOnly the key prefix is retained for display. The full key is irrecoverable after creation.

User sessionsJWT tokens, HS256, 24-hour expiration. No persistent server-side sessions.

RevocationImmediate effect. Revoked keys are rejected at the gateway before reaching any worker.

Rate limitingAll endpoints are rate-limited at the gateway layer, independent of plan-level quotas.

Plan enforcementEngine access, timeout, file size, and monthly quota are enforced per key on every request.

\section{Disclosure}

Responsible disclosure

If you discover a security vulnerability — in the API, the compilation pipeline, or the web interface — please report it privately before public disclosure. We acknowledge reports within 48 hours and resolve critical issues within 7 days.

support@formatex.io

48-hour acknowledgement

We will confirm receipt of your report within two business days.

No legal action against researchers

Good-faith security research conducted under this policy will not result in legal action.

7-day critical patch window

Critical vulnerabilities affecting user data or compilation integrity are patched within 7 days.

Credit on request

Reporters may request public credit when the vulnerability is disclosed.

Ready to compile without the risk?

15 free compilations every month. No credit card required.