Privacy & Compliance
GDPR-Compliant File Conversion — No Upload Required
ConvertYard converts files entirely inside your browser. Your documents never reach a server — not ours, not anyone's. That's not a policy. It's the architecture.
What this means for you
- ✓ Zero GDPR obligations — no data processor agreement needed
- ✓ No BAA required for HIPAA-covered entities
- ✓ No upload logs, no retention risk, no breach surface
- ✓ Verify it yourself: open DevTools → Network while converting
Who this is for
- Legal teams handling contracts and NDAs
- HR processing sensitive employee documents
- Healthcare staff converting patient records
- Finance teams with confidential reports
- Anyone under GDPR, HIPAA, or SOC 2 constraints
How ConvertYard compares
| Feature | ConvertYard | Server-based tools |
|---|---|---|
| Files uploaded to a server | Never | Yes |
| GDPR data processor agreement | Not required | Required |
| HIPAA BAA required | No | Yes, if handling PHI |
| Upload logs retained | None | Varies by provider |
| Breach surface | Zero | Server-side |
| Works offline | Yes | No |
| Cost | Free | Free / Paid |
The details
GDPR by architecture
Under GDPR, if you upload a file containing personal data to a third-party service, that service becomes a data processor. You need a signed DPA. The processor must handle deletion, breach notification, and data subject requests. ConvertYard is not a data processor because it never receives your files. Conversion happens inside your browser via WebAssembly — the same C++ libraries (MuPDF, pdf-lib) that would run on your server, running locally on your CPU instead. No upload = no processor relationship = no GDPR obligation beyond what you already have for your own device.
No HIPAA BAA required
Covered entities and business associates under HIPAA must have a BAA with every vendor that handles PHI. If you upload a patient record to CloudConvert or Smallpdf, those companies become business associates — and you need a signed BAA, data retention policies, and breach notification procedures in place. ConvertYard never receives the file. The PHI never leaves your workstation. There is no business associate relationship to establish.
Verify it yourself — in 30 seconds
Open your browser DevTools (F12 → Network tab). Drop a file into any ConvertYard tool and click Convert. Watch the Network tab. You'll see requests to load WebAssembly modules — but you won't see your file being uploaded anywhere. The bytes stay local. This is the only meaningful privacy proof: not a privacy policy, not a compliance certificate, but the absence of an upload request in your own browser.
The tools compliance teams use most
Common questions
Does ConvertYard qualify as a GDPR data processor?
No. Under GDPR, a data processor is an entity that processes personal data on behalf of a controller. Because ConvertYard never receives your files — all processing runs in your browser — there is no data processing relationship to regulate. You do not need a DPA with ConvertYard.
Do I need a HIPAA BAA to use ConvertYard with patient records?
No. A BAA is required when a business associate receives, creates, or maintains PHI. ConvertYard never receives your files. Conversion happens inside your browser via WebAssembly. The file bytes never leave your device, so no business associate relationship is formed.
How can I prove files are not uploaded?
Open your browser DevTools (F12), go to the Network tab, then drop a file and convert it. You will see requests to load WebAssembly modules on first use, but no request containing your file data. The conversion output is assembled locally and offered as a download — no server involved.
Can ConvertYard be used on air-gapped or restricted networks?
After the first page load, ConvertYard's WebAssembly modules are cached by the browser. Subsequent conversions work without any network access. This makes it suitable for environments with strict outbound restrictions, provided the initial load is permitted.
Is this true for all ConvertYard tools?
Yes. Every ConvertYard tool processes files locally — image converters, PDF tools, video extractors, and document converters all use client-side WebAssembly. The privacy guarantee is architectural, not tool-specific.
Start converting — no account, no upload, no risk