Security Overview
Polotno SDK - key points
No data collection
Polotno SDK doesn’t collect or store end-user data.
No built-in uploads
The SDK doesn’t upload user content to Polotno.
Minimal logging
We only log license validation events: license key, domain, and usage count. No user content or personal data.
Data handling & networking
Local by default
Editing, rendering, and exports run in your app (browser or your servers).
Assets
By default, the SDK can load fonts and Unsplash images from Polotno-managed endpoints. These requests include no tracking. You can also configure the SDK to use only your own assets/CDN.
Logging
What we log: license key, domain(s), and aggregate usage counts for license validation.
What we don’t log: user identities, design content, assets, IPs for analytics, or behavioral telemetry.
Cloud Render (optional)
If you use Polotno Cloud Render, your app sends design JSON and asset URLs to our API over HTTPS. We process the job and return the result. We do not use your content for training or marketing. Retention/region/SLA can be aligned in a DPA/SOW if required.
Dependencies & secure development
Audits. We run npm audit regularly. At present there are two “moderate” warnings related to Quil. These will be cleared with our next internal dependency update soon.
Why they don’t impact Polotno today:
We use Quill with a restricted formats list (no image, video, etc. by default).
In this configuration, Quill treats disallowed tags (e.g., <img onerror=…>) as literal text or as safe Delta ops without executable attributes, so the advisory path is not exploitable in Polotno’s editor.
Supply chain. No hidden dynamic code loading. One exception: we dynamically load jspdf for PDF export to keep the base bundle small. If your policy forbids dynamic loads, you can embed jspdf upfront (larger bundle, no runtime fetch).
Version control. Pin versions via your lockfile to avoid unplanned changes.
Transparency
No telemetry
The SDK has no built-in analytics or tracking beacons.
Inspectable
All network calls are visible in DevTools.
FAQ (short)
Does Polotno upload our users’ images or designs?
No. The SDK doesn’t upload user content to Polotno. Any uploads go to services you configure. Cloud Render is optional and strictly job-based over HTTPS.
Do you collect user data?
No. We do not collect end-user personal data. Only license validation logs (key, domain, usage counts).
Can we avoid any dynamic loading?
Yes. You can bundle jspdf into your app to disable the dynamic fetch.
Polotno SDK - key points
No data collection
Polotno SDK doesn’t collect or store end-user data.
No built-in uploads
The SDK doesn’t upload user content to Polotno.
Minimal logging
We only log license validation events: license key, domain, and usage count. No user content or personal data.
Data handling & networking
Local by default
Editing, rendering, and exports run in your app (browser or your servers).
Assets
By default, the SDK can load fonts and Unsplash images from Polotno-managed endpoints. These requests include no tracking. You can also configure the SDK to use only your own assets/CDN.
Logging
What we log: license key, domain(s), and aggregate usage counts for license validation.
What we don’t log: user identities, design content, assets, IPs for analytics, or behavioral telemetry.
Cloud Render (optional)
If you use Polotno Cloud Render, your app sends design JSON and asset URLs to our API over HTTPS. We process the job and return the result. We do not use your content for training or marketing. Retention/region/SLA can be aligned in a DPA/SOW if required.
Dependencies & secure development
Audits. We run npm audit regularly. At present there are two “moderate” warnings related to Quil. These will be cleared with our next internal dependency update soon.
Why they don’t impact Polotno today:
We use Quill with a restricted formats list (no image, video, etc. by default).
In this configuration, Quill treats disallowed tags (e.g., <img onerror=…>) as literal text or as safe Delta ops without executable attributes, so the advisory path is not exploitable in Polotno’s editor.
Supply chain. No hidden dynamic code loading. One exception: we dynamically load jspdf for PDF export to keep the base bundle small. If your policy forbids dynamic loads, you can embed jspdf upfront (larger bundle, no runtime fetch).
Version control. Pin versions via your lockfile to avoid unplanned changes.
Transparency
No telemetry
The SDK has no built-in analytics or tracking beacons.
Inspectable
All network calls are visible in DevTools.
FAQ (short)
Does Polotno upload our users’ images or designs?
No. The SDK doesn’t upload user content to Polotno. Any uploads go to services you configure. Cloud Render is optional and strictly job-based over HTTPS.
Do you collect user data?
No. We do not collect end-user personal data. Only license validation logs (key, domain, usage counts).
Can we avoid any dynamic loading?
Yes. You can bundle jspdf into your app to disable the dynamic fetch.
Polotno SDK - key points
No data collection
Polotno SDK doesn’t collect or store end-user data.
No built-in uploads
The SDK doesn’t upload user content to Polotno.
Minimal logging
We only log license validation events: license key, domain, and usage count. No user content or personal data.
Data handling & networking
Local by default
Editing, rendering, and exports run in your app (browser or your servers).
Assets
By default, the SDK can load fonts and Unsplash images from Polotno-managed endpoints. These requests include no tracking. You can also configure the SDK to use only your own assets/CDN.
Logging
What we log: license key, domain(s), and aggregate usage counts for license validation.
What we don’t log: user identities, design content, assets, IPs for analytics, or behavioral telemetry.
Cloud Render (optional)
If you use Polotno Cloud Render, your app sends design JSON and asset URLs to our API over HTTPS. We process the job and return the result. We do not use your content for training or marketing. Retention/region/SLA can be aligned in a DPA/SOW if required.
Dependencies & secure development
Audits. We run npm audit regularly. At present there are two “moderate” warnings related to Quil. These will be cleared with our next internal dependency update soon.
Why they don’t impact Polotno today:
We use Quill with a restricted formats list (no image, video, etc. by default).
In this configuration, Quill treats disallowed tags (e.g., <img onerror=…>) as literal text or as safe Delta ops without executable attributes, so the advisory path is not exploitable in Polotno’s editor.
Supply chain. No hidden dynamic code loading. One exception: we dynamically load jspdf for PDF export to keep the base bundle small. If your policy forbids dynamic loads, you can embed jspdf upfront (larger bundle, no runtime fetch).
Version control. Pin versions via your lockfile to avoid unplanned changes.
Transparency
No telemetry
The SDK has no built-in analytics or tracking beacons.
Inspectable
All network calls are visible in DevTools.
FAQ (short)
Does Polotno upload our users’ images or designs?
No. The SDK doesn’t upload user content to Polotno. Any uploads go to services you configure. Cloud Render is optional and strictly job-based over HTTPS.
Do you collect user data?
No. We do not collect end-user personal data. Only license validation logs (key, domain, usage counts).
Can we avoid any dynamic loading?
Yes. You can bundle jspdf into your app to disable the dynamic fetch.
News, updates and promos – be the first to get 'em
News, updates and promos – be the first to get 'em
News, updates and promos – be the first to get 'em
Subscribe now
Copyright © 2025 Polotno
Copyright © 2025 Polotno