How is this different from Forge / APS, or open-source DWG libraries?

Forge is powerful but heavyweight and viewer-oriented. Open-source libraries (LibreDWG, ezdxf) get you started but break on real-world drawings and don't ship a hosted, billable API. CADLens is a single REST endpoint with a stable schema, fair pricing per parse, and zero infra to maintain.

What exactly do I get back in the JSON?

File metadata (units, layers, drawing extent), a versioned vector array (polylines, arcs, circles, splines, text, hatches, inserts) with coordinates and per-entity layer/color/bbox, plus a signed URL to a rendered PNG preview. Schema is versioned (currently 2024-01) and we never make breaking changes within a version.

Both. POST /v1/parse returns a job ID immediately. Poll GET /v1/jobs/{id} or register a webhook URL on the request. For files under ~2 MB you can pass wait=true to block on the response.

Do you store my CAD files?

Originals are stored encrypted, accessible only via signed URLs, and deleted after 7 days by default (configurable down to 1 hour on Builder+). You can issue a delete via the API or dashboard at any time.

Failed jobs — am I billed?

No. System-side failures (parser crash, timeout, infra error) are never billed. User-caused errors that we detect early (invalid file, unsupported version, oversized) also don't bill. Only successful parse jobs count against your plan.

Enterprise plans include a private VPC deployment with the same API surface. Talk to us about volume, SLA and data residency.

Security — CADLens

How we protect your data.

Encryption in transit — all API traffic is served over TLS 1.2+. HTTP requests are redirected to HTTPS. HSTS is enforced.
Encryption at rest — uploaded CAD files and generated PNG previews are stored in AWS S3 with server-side encryption (AES-256).
File retention — uploaded files are automatically deleted after the job result is retrieved or after 7 days, whichever comes first. We do not retain CAD data beyond what is necessary to complete the parse job.
Database — PostgreSQL with access restricted to private network. No public database endpoints. Backups are encrypted.
Network isolation — API, database, and Redis run in an isolated private network. Only the API port is publicly exposed behind a reverse proxy.

API keys and account security.

API keys — stored as SHA-256 hashes. The raw key is shown only once at creation and is never stored in plaintext. Lost keys must be revoked and regenerated.
Passwords — hashed with bcrypt (cost factor 12). Plaintext passwords are never stored or logged.
Sessions — short-lived JWTs (2-hour expiry) signed with RS256 private keys. Refresh tokens have a 7-day grace window.
OAuth — Google and GitHub sign-in use standard OAuth 2.0 flows with PKCE and state parameter CSRF protection.
Rate limiting — all public endpoints are rate-limited per IP. Authenticated endpoints are rate-limited per API key.

Uploaded CAD file handling.

File type is validated by magic bytes (not file extension) before processing. Files that do not match a supported CAD format are rejected immediately and never written to persistent storage.

Size limit — enforced at the API gateway before the file reaches the processing queue
Isolated processing — each parse job runs in an isolated worker process; a malformed file cannot affect other jobs
No cross-tenant access — job results are scoped to the API key that created them; other API keys cannot access your results
Signed URLs — PNG preview URLs are pre-signed S3 URLs with a short expiry (1 hour). They cannot be guessed or enumerated

How to keep your account secure.

Never commit API keys to source control. Use environment variables or a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, Doppler).
Create scoped keys. Generate a separate API key per project or environment. Revoke keys that are no longer in use.
Use webhooks over polling. Webhook callbacks reduce the window during which a job result sits unclaimed on our servers.
Monitor usage. Review your usage dashboard regularly. Unexpected spikes may indicate a leaked key.
Rotate keys periodically. The dashboard supports generating a replacement key before revoking the old one, so rotation is zero-downtime.

Responsible disclosure policy.

We take security vulnerabilities seriously and appreciate the security community's efforts to responsibly disclose findings.

If you discover a security vulnerability in CADLens, please report it to us at [email protected] with a clear description of the vulnerability, steps to reproduce it, and your assessment of its impact. Please do not disclose the issue publicly until we have had a reasonable opportunity to address it.

Response time — we will acknowledge your report within 2 business days
Resolution target — critical vulnerabilities are patched within 7 days; high-severity within 30 days
Scope — the CADLens API (api.cadlens.co), dashboard, and public website
Out of scope — social engineering, physical attacks, volumetric DoS, issues in third-party services we use

We do not currently offer a bug bounty programme, but we will publicly credit researchers who responsibly disclose valid vulnerabilities (with their permission).

Security at CADLens.

How we protect your data.

API keys and account security.

Uploaded CAD file handling.

How to keep your account secure.

Responsible disclosure policy.

Security contact.