The security of ConvertAPI customers’ information is our top priority which is supported by a comprehensive Information Security Management System helping to ensure confidentiality, integrity, and availability of ConvertAPI service. Find our latest DPAs, BAAs, policies, and security docs in Trust Center. Everything you need in a single place - versioned and always current.
Access the latest DPAs, BAAs, policies, audit summaries, and security docs in one place. Everything is versioned, searchable, and kept up to date on our Scribd-powered Trust Center, so your team always has the current answer.
Open Trust CenterThe ISO 27001 Information Security Management certification highlights ConvertAPI’ s commitment and approach to strengthen data security, continually improve processes, secure information assets, and reassure clients that the company operates with robust processes in place to safeguard information security at every level.
ConvertAPI has received the ISO 27001 Information Security Management certification from TÜV Thüringen, demonstrating our commitment to maintaining top-notch security and compliance for our SaaS platform and file conversion service. Our dedication to providing our customers a reliable and secure service remains unwavering.
Check our ISO 27001 certificateOur servers run on hardened bare-metal servers with firewalls and isolated containers, maintained and patched by our security engineers around the clock.
All our systems are continuously monitored by automated systems for any availability and performance issues.
Communication with our servers is securely encrypted using at least TLS 1.2.
Fine-grained access control via system permissions, roles, and network addresses.
Benefit from full maintenance with an automated system and application updates.
We exclusively use data center provider IBM Cloud Services to ensure excellent physical security controls.
All our systems are regularly backed up for disaster recovery and system outages.
We are bound to and strictly follow the very strict European data protection laws.
Separation of customer data with database-level isolation and access permissions.
Careful attention to service availability allows us to continuously beat > 99.5% monthly uptime.
Full redundancy of all important systems, global presence and world-class data connectivity.
Our complete infrastructure written as a code allows us to fully restore service from scratch within 4 hours in another location.
ConvertAPI is designed to meet the strict privacy and security standards required by the Health Insurance Portability and Accountability Act (HIPAA). That means you can safely process medical documents, records, and other sensitive data with full confidence that every transfer and storage operation follows HIPAA requirements.
Business Associate AgreementConvertAPI has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.
We utilize a role-based security architecture with least access principle and require users of the system to be identified and authenticated prior to the use of any system resources. For enhanced security, we enforce 2-factor authentication for every privileged user.
Security principles within our fundamental designs are designed to permit users and administrators to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.
We use encryption technologies to protect customer data both in transit and at rest (where applicable).
Our software development process includes extensive code reviews during the code development phase and before code is pushed to production. We also perform regular technical security audits and penetration testing exercises done by independent companies.
We have designed and implemented controls to monitor our vendors. In addition, we perform due diligence on any vendor before signing the agreement. We review and make sure that our vendors meet the same or higher standards regarding security, availability, and confidentiality as we do for our customers.
Redundancy is built into the ConvertAPI application in multiple layers of the system to help ensure that there is no single point of failure. In the event of a component failure, we have confirmed complete restoration of service in a new location within 4 hours our regular disaster recovery plan tests, on which we perform a simulation every 12 months.
We design our processes and procedures to meet the business objectives of our services. Those objectives are based on the service commitments that we make to user entities, the laws and regulations that govern the provision of the services, and the financial, operational, and compliance requirements that we have established.
We continuously monitor our system and infrastructure for security incidents. Incident response policies and procedures are in place and regularly reviewed to guide our team in reporting and responding properly to information system incidents, which also requires us to inform our customers in case of security incidents.
ConvertAPI is designed and independently audited to meet the strict security, availability, and confidentiality criteria established by the SOC 2 framework. This validation ensures enterprise organizations can safely process high-volume documents and sensitive data with full confidence that every file conversion workflow adheres to rigorous, continuously monitored internal controls.
ConvertAPI has completed a SOC 2 Type 2 audit conducted by an independent third-party firm, validating that our security, availability, and confidentiality controls operate effectively over time. The report confirms that ConvertAPI maintains the continuous, enterprise-grade safeguards organizations require when processing sensitive documents at scale.
Request our SOC 2 reportWe use encryption technologies to protect customer data both in transit and at rest (where applicable).
Production customer data is encrypted in transit and at rest. We use up-to-date SSL/TLS versions to secure the data. At-rest data is encrypted using AES algorithms. Production data is never used in development or test environments.
We follow industry best practices and modern DevOps techniques to maintain the ConvertAPI application. The change management process is documented and regularly audited for non-conformities. Upon significant changes, customers are informed in a timely manner in advance via email . We have several stages of code review and quality assurance before changes are implemented in production.
The ConvertAPI system is monitored 24/7 by a set of different monitoring tools. Our historical uptime is 99.9% or higher. Critical alerts are immediately sent to the DevOps team and escalated to operations management and the incident response procedure. Want to see for yourself? Check our past month’s statistics here: https://status.convertapi.com/
We take compliance and data privacy seriously, and our ConvertAPI service is GDPR compliant, so you can be sure that we follow strict data privacy requirements. For more details on the data we process and the controls we have established, please refer to our Privacy Policy and Data Processing Terms document.
Our Privacy Policy and Data Processing TermsWe work only with those service providers to which security is a top priority. Each of our business partner is chosen after a rigorous due-diligence process and closely monitored by our Security Team. Some of our business partners process your information on our behalf in compliance with our Privacy Policy. We ensure that all our data shall be processed within the EU/EEA.
We are fully insured against professional indemnity, privacy breaches, and cyber attacks up to €1M. Of course, we hope we won’t have to use it, but it provides extra comfort to our customers and us. We will maintain valid insurance throughout the delivery of our services.
Read more about insuranceAll legal documents and contracts related to your use of ConvertAPI - including Business Associate Agreements (BAAs), Data Processing Agreements (DPAs), and other compliance-related materials - can be reviewed and signed directly through the Contracts section on your account dashboard.
| Anti-bribery and corruption policy | View |
| Privacy policy and data processing terms | View |
| Terms of Service (MSA and SLA included) | View |
| Business Associate Agreement | View |
| Insurance policy certificate | View |
We are running our own physical servers located at IBM Cloud Services data centers in several locations around the World. On top of the physical hardware layer, we utilize a private Kubernetes cluster, which helps to obtain the benefits of the cloud while allowing us to keep complete control.
You can choose one of two options for processing files converted via ConvertAPI, either to use short term non-persistent storage (in this case, converted files would be stored for up to 3 hours and then deleted automatically) or that file conversion would be processed in memory only with results send back to you without even short term disk storage. For additional security, we restart all Kubernetes instances every two hours so that that memory would be purged as well.
ConvertAPI uses the following sub-processors: