Encryption in Transit
All communication between your browser and our servers uses TLS 1.3, the latest and most secure transport encryption standard. Your files are encrypted before leaving your device. No one can intercept or read them during upload or download—not even your ISP.
You can verify our TLS configuration at SSL Labs (should score A+).
Encryption at Rest
Once uploaded, your files are encrypted on disk using AES-256, the same standard used by banks and governments. Even if someone physically accessed our servers, files are unreadable without encryption keys.
Each file uses a unique encryption key for maximum security.
Processing Security
During conversion, files are temporarily decrypted in memory only. Decrypted data is never written to disk. Each worker runs in an isolated process with limited permissions.
Access Control
Who can access your files?
- You: Download links use signed tokens valid for 24 hours
- Workers: Only the assigned worker can decrypt files for processing
- Admins: Cannot access file contents
- No one else: Files are not shared, indexed, or accessible via direct URLs
What We Don't Encrypt
Job metadata (filename, size, format, timestamp) and job status are not encrypted. This allows us to provide real-time status updates and queue management without decryption overhead.
What Encryption Protects Against
Our encryption protects against network interception, accidental exposure (misconfigured servers), unauthorized filesystem access, and backup leaks.
It does not protect against full system compromise, application vulnerabilities, or legal compulsion. No encryption system can protect against all threats, but ours follows industry best practices.
Compliance
Our encryption implementation supports GDPR, ISO 27001, and SOC 2 Type II compliance requirements for data encryption in transit and at rest.