We take security seriously
The security of ConvertAPI customers’ information is our top priority which is supported by a comprehensive Information Security Management System helping to ensure confidentiality, integrity, and availability of ConvertAPI service. We continuously improve both organizational and technical security controls to address the evolving risk landscape.
ConvertAPI has received the ISO 27001 Information Security Management certification from TÜV Thüringen, demonstrating our commitment to maintaining top-notch security and compliance for our SaaS platform and file conversion service. Our dedication to providing our customers a reliable and secure service remains unwavering.
Check our ISO 27001 certificateThe ISO 27001 Information Security Management certification highlights ConvertAPI’ s commitment and approach to strengthen data security, continually improve processes, secure information assets, and reassure clients that the company operates with robust processes in place to safeguard information security at every level.
Key facts about our security policy and server infrastructure
24/7 Proactive Monitoring
All our systems are continuously monitored by automated systems for any availability and performance issues.
Transmission Encryption
Communication with our servers is securely encrypted using at least TLS 1.2.
Access Permissions
Fine-grained access control via system permissions, roles, and network addresses.
Automatic Updates
Benefit from full maintenance with an automated system and application updates.
Professional Data Centers
We exclusively use data center provider IBM Cloud Services to ensure excellent physical security controls.
System & Data Backups
All our systems are regularly backed up for disaster recovery and system outages.
Data Protection
We are bound to and strictly follow the very strict European data protection laws.
Database Isolation
Separation of customer data with database-level isolation and access permissions.
High Availability
Careful attention to service availability allows us to continuously beat > 99.5% monthly uptime.
Business Continuity
Full redundancy of all important systems, global presence and world-class data connectivity.
Rapid System Restore
Our complete infrastructure written as a code allows us to fully restore service from scratch within 4 hours in another location.
We take compliance and data privacy seriously, and our ConvertAPI service is GDPR compliant, so you can be sure that we follow strict data privacy requirements. For more details on the data we process and the controls we have established, please refer to our Privacy Policy and Data Processing Terms document.
Our Privacy Policy and Data Processing TermsOur policies
Human resources security
ConvertAPI has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.
Access control
We utilize a role-based security architecture with least access principle and require users of the system to be identified and authenticated prior to the use of any system resources. For enhanced security, we enforce 2-factor authentication for every privileged user.
Security principles within our fundamental designs are designed to permit users and administrators to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.
Encryption
We use encryption technologies to protect customer data both in transit and at rest (where applicable).
System development and maintenance
Our software development process includes extensive code reviews during the code development phase and before code is pushed to production. We also perform regular technical security audits and penetration testing exercises done by independent companies.
Supplier relations
We have designed and implemented controls to monitor our vendors. In addition, we perform due diligence on any vendor before signing the agreement. We review and make sure that our vendors meet the same or higher standards regarding security, availability, and confidentiality as we do for our customers.
Business continuity management
Redundancy is built into the ConvertAPI application in multiple layers of the system to help ensure that there is no single point of failure. In the event of a component failure, we have confirmed complete restoration of service in a new location within 4 hours our regular disaster recovery plan tests, on which we perform a simulation every 12 months.
Governance, Risks and Compliance
We design our processes and procedures to meet the business objectives of our services. Those objectives are based on the service commitments that we make to user entities, the laws and regulations that govern the provision of the services, and the financial, operational, and compliance requirements that we have established.
What happens in case of incidents
We continuously monitor our system and infrastructure for security incidents. Incident response policies and procedures are in place and regularly reviewed to guide our team in reporting and responding properly to information system incidents, which also requires us to inform our customers in case of security incidents.
Operational security
Servers
We use encryption technologies to protect customer data both in transit and at rest (where applicable).
Data
Production customer data is encrypted in transit and at rest. We use up-to-date SSL/TLS versions to secure the data. At-rest data is encrypted using AES algorithms. Production data is never used in development or test environments.
Change management
We follow industry best practices and modern DevOps techniques to maintain the ConvertAPI application. The change management process is documented and regularly audited for non-conformities. Upon significant changes, customers are informed in a timely manner in advance via email . We have several stages of code review and quality assurance before changes are implemented in production.
System monitoring and alerting
The ConvertAPI system is monitored 24/7 by a set of different monitoring tools. Our historical uptime is 99.9% or higher. Critical alerts are immediately sent to the DevOps team and escalated to operations management and the incident response procedure. Want to see for yourself? Check our past month’s statistics here: https://status.convertapi.com/
Rigorously chosen service providers
We work only with those service providers to which security is a top priority. Each of our business partner is chosen after a rigorous due-diligence process and closely monitored by our Security Team. Some of our business partners process your information on our behalf in compliance with our Privacy Policy. We ensure that all our data shall be processed within the EU/EEA.
Service availability and business continuity
Fully insured
We are fully insured against professional indemnity, privacy breaches, and cyber attacks up to €1M. Of course, we hope we won’t have to use it, but it provides extra comfort to our customers and us. We will maintain valid insurance throughout the delivery of our services.
Read more about insuranceLegal documents
Anti-bribery and corruption policy | View |
Privacy policy and data processing terms | View |
Insurance policy certificate | View |
Frequently Asked Questions
We are running our own physical servers located at IBM Cloud Services data centers in several locations around the World. On top of the physical hardware layer, we utilize a private Kubernetes cluster, which helps to obtain the benefits of the cloud while allowing us to keep complete control.
You can choose one of two options for processing files converted via ConvertAPI, either to use short term non-persistent storage (in this case, converted files would be stored for up to 3 hours and then deleted automatically) or that file conversion would be processed in memory only with results send back to you without even short term disk storage. For additional security, we restart all Kubernetes instances every two hours so that that memory would be purged as well.
ConvertAPI uses the following sub-processors:
- Crisp IM SARL (only when Personal Data is processed during customer support requests via chat).
- Google Ireland Ltd. (only when Personal Data is processed during e-mail communication)
- IBM Cloud Services (physical and cloud hosting provider).
- Mezmo Inc. (operational logs storage and alerts generation)
- Microsoft Azure (source code repository)
- Paddle.com (payment processor, only applicable for payment-related data).