Security and Compliance

1. Security approach

Everything Convert is designed around data minimization. Where practical, conversion work runs in the user's browser so files do not need to be uploaded to our servers. This reduces unnecessary file handling and limits the amount of information we need to store.

When account features, usage limits, payment features, or future advanced conversions require server-side systems, we aim to limit access, collect only necessary data, and use established providers for authentication, hosting, database, and payments.

2. Browser-based conversion

Many tools currently use browser APIs and client-side libraries. In these workflows, the selected file is processed locally by your browser, and the output is generated on your device. Browser-based processing can improve privacy, but it still depends on your device security, browser security, and the libraries loaded by the page.

Some features may be limited by browser memory, file size, format complexity, fonts, embedded media, scanned documents, or unsupported file structures.

3. Authentication and account data

Authentication and user profile storage are handled through Supabase. Account-related data may include email address, user ID, nickname, role, plan level, login provider, and timestamps needed to operate the account system.

Access to account-related features should be protected with Supabase authentication, database permissions, and row-level security policies where appropriate. Administrative access should be limited to trusted operators only.

4. Payments and PCI scope

Payments, donations, and future subscriptions are expected to be handled by Stripe-hosted payment flows or Stripe-managed checkout components. This helps reduce our exposure to payment card data because full card numbers are handled by Stripe rather than stored directly by Everything Convert.

PCI compliance is a shared responsibility. Stripe provides payment infrastructure and PCI-related tools, while Everything Convert remains responsible for integrating payment flows securely, protecting account access, and avoiding unsafe handling of payment data.

5. Hosting and infrastructure

The site may be hosted through Vercel or similar hosting infrastructure. Hosting providers can provide HTTPS, deployment isolation, DDoS mitigation, logging, edge delivery, and security controls depending on the plan and configuration.

We are responsible for our own application code, secrets, access control, dependency choices, configuration, and any serverless functions or APIs we deploy.

6. File handling and retention

For browser-only conversions, files are not intentionally stored by Everything Convert. If future server-side conversion is introduced, uploaded files should be used only to perform the requested conversion, then deleted or made inaccessible after a reasonable operational period unless retention is needed for security, troubleshooting, abuse prevention, or legal compliance.

Users should keep their own backups. We do not promise permanent storage, recovery, archival access, or guaranteed availability of converted outputs.

7. Data protection controls

Current and planned controls may include HTTPS, provider-managed authentication, limited database access, role-based administrative functions, local browser processing where possible, usage-limit checks, abuse monitoring, secure payment redirects, and dependency updates.

As the service matures, we plan to improve audit logging, incident response documentation, backup procedures, access reviews, security headers, vulnerability scanning, and clearer retention rules for any server-processed files.

8. Compliance posture

Everything Convert is not currently claiming independent SOC 2, ISO 27001, HIPAA, PCI DSS merchant certification, or other formal compliance certification for the entire service. Some infrastructure providers we use may maintain their own certifications or compliance programs, but those provider certifications do not automatically certify Everything Convert as a whole.

If you need to use the service for regulated data, healthcare data, government data, legal evidence, financial records, or confidential enterprise documents, contact us first so we can discuss whether the current service is appropriate for your requirements.

9. Responsible disclosure

If you believe you found a security issue, please contact us at contact@everythingconvert.com. Include a clear description, affected URL, steps to reproduce, potential impact, and any screenshots or logs that help us understand the issue.

Do not access, modify, delete, download, or disclose data that does not belong to you. Do not perform denial-of-service testing, automated scanning at high volume, social engineering, spam, or attacks against users or third-party providers.

10. User security responsibilities

Users should keep devices and browsers updated, use strong account passwords, protect email and Google accounts, avoid shared computers for sensitive work, verify converted output before relying on it, and avoid uploading highly sensitive documents unless they understand the risks.

11. Contact

Security questions, compliance requests, and vulnerability reports can be sent to contact@everythingconvert.com.