OCR (Optical Character Recognition) is technology that converts different types of documents, such as scanned paper documents, PDF files, or images captured by a digital camera, into editable and searchable data.

What file formats are supported?

We support all major image formats including JPG, PNG, WEBP, TIFF, BMP, and PDF documents.

How accurate is the text recognition?

Our OCR engine achieves 99.9% accuracy on clear, high-quality documents. Accuracy may vary based on image quality, handwriting, and document complexity.

Yes, all data is encrypted in transit and at rest. We use industry-standard security practices and do not share your data with third parties.

What languages are supported?

We support over 107 languages including English, Spanish, French, German, Chinese, Japanese, Arabic, and many more.

¿Funciona con documentos en español?

Sí, nuestro OCR soporta español y más de 107 idiomas. Simplemente selecciona 'Español' antes de escanear tu documento para obtener los mejores resultados con texto en español.

Can I scan Spanish documents?

Yes! Our OCR fully supports Spanish language documents. Select 'Español' as your document language before scanning to get optimized results for Spanish text.

Can I translate scanned text?

Yes! ScanThisText offers AI-powered translation for extracted text. After scanning a document, you can translate it to any of our 107+ supported languages instantly.

How many languages can I translate to?

Our translation service supports 107+ languages including English, Spanish, French, German, Chinese, Japanese, Arabic, Portuguese, Italian, Russian, Korean, and many more.

¿Puedo traducir documentos escaneados?

¡Sí! ScanThisText ofrece traducción con IA para texto extraído. Después de escanear un documento, puedes traducirlo instantáneamente a cualquiera de nuestros 107+ idiomas compatibles.

Trust · Last updated April 27, 2026

What is actually true.

This page lists the security and privacy controls we have in production today, the ones available to Enterprise customers on request, and the ones we have not yet implemented. We do not list controls we cannot back up.

Live status

Real-time API health probe

GDPR, CCPA, retention, your rights

Acceptable use, liability, governing law

security.txt

RFC 9116 vulnerability disclosure

Security & privacy controls

TLS 1.2+ in transit

Live in production

All web and API traffic terminates on Vercel and Railway, both of which enforce HTTPS with modern cipher suites. HTTP is redirected to HTTPS.

Encryption at rest

Live in production

Postgres on Railway and uploaded files in AWS S3 are encrypted at rest using the underlying provider's default disk-level / object-level encryption (AES-256).

HSTS preloaded

Live in production

Strict-Transport-Security header sent on every response: max-age=63072000, includeSubDomains, preload.

Content Security Policy

Live in production

Strict CSP enforced in production with explicit allowlists for scripts, styles, images, fonts, and connect endpoints. No wildcard sources.

Other security headers

Live in production

X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy applied to all routes on web and API.

Rate limiting

Live in production

Per-IP and per-endpoint rate limits on the API (auth: 5/min, OCR: 10/min, translate: 20/min, global: 60/min). Repeat offenders are auto-blocked for 1 hour.

Audit log

Live in production

Every authenticated request that mutates state is logged with user ID, IP, user-agent, action, and timestamp. Searchable on Business and Enterprise plans.

Account deletion + 30-day grace period

Live in production

Self-serve deletion from Settings. Account is deactivated immediately; PII is permanently anonymized after 30 days. Active subscriptions cancel on request.

PCI DSS scope minimization

Live in production

All card data is handled by Stripe (PCI DSS Level 1). We never receive, store, or proxy primary account numbers — only Stripe customer/subscription IDs.

Authenticated-by-default API routes

Live in production

Every FastAPI route requires a session unless explicitly marked @public. Every Next.js API route checks the session before any logic runs.

Live status page

Live in production

Real-time API health probe rendered server-side at /status on every load. No synthetic uptime numbers.

Vulnerability disclosure

Live in production

RFC 9116 security.txt published at /.well-known/security.txt. Report issues to support@scanthistext.com.

SSO (SAML / OIDC)

Available on request (Enterprise)

We can integrate with Okta, Google Workspace, or any SAML 2.0 / OIDC IdP for Enterprise customers. Contact sales for scoping.

HIPAA Business Associate Agreement

Available on request (Enterprise)

BAA available on the Enterprise plan. Includes scoping of PHI handling, subprocessor BAAs (Stripe, Google Cloud, AWS), and audit-log retention.

Custom uptime SLA

Available on request (Enterprise)

Contractual SLA with service credits available on the Enterprise plan. Default operational target is 99.5%, but no SLA is implied without a signed contract.

On-premises / self-hosted deployment

Available on request (Enterprise)

Container-based self-hosted deployment available on the Enterprise plan for customers with data-residency or air-gap requirements.

SOC 2 Type II

Not yet implemented

We have not yet completed a SOC 2 audit. We do not claim SOC 2 compliance anywhere on this site.

ISO 27001

Not yet implemented

We are not ISO 27001 certified.

Public uptime history

Not yet implemented

We do not yet publish a rolling 30/60/90-day uptime percentage. When we do, it will be backed by external synthetic monitoring (not self-reported).

Subprocessors

These third parties process customer data on our behalf to deliver the Service. Each is bound by a Data Processing Agreement (DPA) or equivalent. Enterprise customers will be notified of changes to this list at least 30 days in advance.

Provider	Purpose	Region	DPA
Vercel	Web app hosting and edge delivery	US / global edge	Link
Railway	API hosting and managed Postgres	US	Link
Amazon Web Services (S3)	Uploaded image and PDF object storage	US	Link
Stripe	Subscription billing and payments	US / global	Link
Google Cloud (Vision API)	OCR text extraction from uploaded documents	US	Link
Microsoft Azure (Document Intelligence)	Structured field extraction (Business and Enterprise)	US	Link
Anthropic	AI question-answering ("Ask your documents") and analysis	US	Link
Hetzner	Embedding inference for document indexing	EU (Germany / Finland)	Link
Resend	Transactional email (verification, password reset, support)	US	Link
Plausible Analytics	Privacy-friendly, cookieless usage analytics	EU (Germany)	Link

Report a security issue

Found a vulnerability? Email support@scanthistext.com with reproduction steps and impact. We aim to acknowledge within 2 business days. Coordinated disclosure preferred.

See our security.txt for the canonical contact.