We take security seriously

The security of ConvertAPI customers’ information is our top priority which is supported by a comprehensive Information Security Management System helping to ensure confidentiality, integrity, and availability of ConvertAPI service. We continuously improve both organizational and technical security controls to address the evolving risk landscape.

The ISO 27001 Information Security Management certification highlights ConvertAPI’ s commitment and approach to strengthen data security, continually improve processes, secure information assets, and reassure clients that the company operates with robust processes in place to safeguard information security at every level.

Key facts about our security policy and server infrastructure

24/7 Proactive Monitoring

All our systems are continuously monitored by automated systems for any availability and performance issues.

Transmission Encryption

Communication with our servers is securely encrypted using at least TLS 1.2.

Access Permissions

Fine-grained access control via system permissions, roles, and network addresses.

Automatic Updates

Benefit from full maintenance with an automated system and application updates.

Professional Data Centers

We exclusively use data center provider IBM Cloud Services to ensure excellent physical security controls.

System & Data Backups

All our systems are regularly backed up for disaster recovery and system outages.

Data Protection

We are bound to and strictly follow the very strict European data protection laws.

Database Isolation

Separation of customer data with database-level isolation and access permissions.

High Availability

Careful attention to service availability allows us to continuously beat > 99.5% monthly uptime.

Business Continuity

Full redundancy of all important systems, global presence and world-class data connectivity.

Rapid System Restore

Our complete infrastructure written as a code allows us to fully restore service from scratch within 4 hours in another location.

Our policies

Human resources security

ConvertAPI has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.

Access control

We utilize a role-based security architecture with least access principle and require users of the system to be identified and authenticated prior to the use of any system resources. For enhanced security, we enforce 2-factor authentication for every privileged user.

Security principles within our fundamental designs are designed to permit users and administrators to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.


We use encryption technologies to protect customer data both in transit and at rest (where applicable).

System development and maintenance

Our software development process includes extensive code reviews during the code development phase and before code is pushed to production. We also perform regular technical security audits and penetration testing exercises done by independent companies.

Supplier relations

We have designed and implemented controls to monitor our vendors. In addition, we perform due diligence on any vendor before signing the agreement. We review and make sure that our vendors meet the same or higher standards regarding security, availability, and confidentiality as we do for our customers.

Business continuity management

Redundancy is built into the ConvertAPI application in multiple layers of the system to help ensure that there is no single point of failure. In the event of a component failure, we have confirmed complete restoration of service in a new location within 4 hours our regular disaster recovery plan tests, on which we perform a simulation every 12 months.

Governance, Risks and Compliance

We design our processes and procedures to meet the business objectives of our services. Those objectives are based on the service commitments that we make to user entities, the laws and regulations that govern the provision of the services, and the financial, operational, and compliance requirements that we have established.

What happens in case of incidents

We continuously monitor our system and infrastructure for security incidents. Incident response policies and procedures are in place and regularly reviewed to guide our team in reporting and responding properly to information system incidents, which also requires us to inform our customers in case of security incidents.

Operational security


We use encryption technologies to protect customer data both in transit and at rest (where applicable).


Production customer data is encrypted in transit and at rest. We use up-to-date SSL/TLS versions to secure the data. At-rest data is encrypted using AES algorithms. Production data is never used in development or test environments.

Change management

We follow industry best practices and modern DevOps techniques to maintain the ConvertAPI application. The change management process is documented and regularly audited for non-conformities. Upon significant changes, customers are informed in a timely manner in advance via email . We have several stages of code review and quality assurance before changes are implemented in production.

System monitoring and alerting

The ConvertAPI system is monitored 24/7 by a set of different monitoring tools. Our historical uptime is 99.9% or higher. Critical alerts are immediately sent to the DevOps team and escalated to operations management and the incident response procedure. Want to see for yourself? Check our past month’s statistics here: https://status.convertapi.com/

Rigorously chosen service providers

We work only with those service providers to which security is a top priority. Each of our business partner is chosen after a rigorous due-diligence process and closely monitored by our Security Team. Some of our business partners process your information on our behalf in compliance with our Privacy Policy. We ensure that all our data shall be processed within the EU/EEA.

Fully insured

Anti-bribery and corruption policy View
Privacy policy and data processing terms View
Insurance policy certificate View

Frequently Asked Questions

We are running our own physical servers located at IBM Cloud Services data centers in several locations around the World. On top of the physical hardware layer, we utilize a private Kubernetes cluster, which helps to obtain the benefits of the cloud while allowing us to keep complete control.

You can choose one of two options for processing files converted via ConvertAPI, either to use short term non-persistent storage (in this case, converted files would be stored for up to 3 hours and then deleted automatically) or that file conversion would be processed in memory only with results send back to you without even short term disk storage. For additional security, we restart all Kubernetes instances every two hours so that that memory would be purged as well.

ConvertAPI uses the following sub-processors:

  • Crisp IM SARL (only when Personal Data is processed during customer support requests via chat).
  • Google Ireland Ltd. (only when Personal Data is processed during e-mail communication)
  • IBM Cloud Services (physical and cloud hosting provider).
  • Mezmo Inc. (operational logs storage and alerts generation)
  • Microsoft Azure (source code repository)
  • Paddle.com (payment processor, only applicable for payment-related data).

Get started with ConvertAPI now!