Security & Privacy Documentation

Overview

Convert To Markdown is designed with a zero-storage architecture. We process your documents in memory and immediately discard them. This document explains our comprehensive security measures and privacy commitments.

Our Core Security Promise

We NEVER Store Your Data

Your Files

Processed in memory only
Deleted immediately

Your Content

Never saved to disk
Never logged

Your Information

No databases
No file systems

No Tracking

No analytics on content
No data mining

Data Handling Process

How Your Documents Flow Through Our System

graph LR A[1. You Upload File] --> B[2. Received in Memory] B --> C[3. Processed in Memory] C --> D[4. Result Sent to You] D --> E[5. Memory Cleared] style A fill:#e3f2fd style E fill:#ffcdd2 F[ Never Stored] -.-> B F -.-> C F -.-> D

Detailed Data Lifecycle

What Happens

File Upload (0-2 seconds)
- Received as stream
- Buffered in RAM only
- Size validated (5MB limit)
Processing (1-3 seconds)
- Conversion in memory
- No temp files created
- No disk writes
Response (< 1 second)
- Result streamed to you
- Connection closed
- Memory released

What NEVER Happens

Files saved to disk
Content logged to files
Database storage
Backup copies made
Cache retention
Third-party sharing
Analytics on content
Long-term retention

Technical Security Measures

Infrastructure Security

Layer	Technology	Security Benefit
Hosting	Google Cloud Functions	Isolated execution environment Automatic security patches No persistent storage available Managed infrastructure
Runtime	Stateless Functions	New instance for each request Memory cleared after execution No data persistence between calls Automatic scaling and isolation
Network	HTTPS Only	TLS 1.3 encryption in transit Certificate pinning No HTTP fallback Secure headers enforced
Processing	Memory-Only Operations	Stream processing No temporary files Buffer size limits Automatic garbage collection

Application Security

Input Validation

File type verification
MIME type checking
Size limit enforcement (5MB)
Malformed file rejection
Content scanning

Processing Isolation

Sandboxed execution
Resource limits
Timeout protection
Memory limits
CPU throttling

Output Safety

Sanitized responses
No code execution
Clean data only
Structured formats
Error message filtering

Privacy & Compliance

Privacy by Design

What We Know

Minimal Metadata Only:

Request timestamp
File size (not content)
Conversion type requested
Success/error status
Response time

Used For:

Service monitoring
Error tracking
Performance optimization
Capacity planning

What We DON'T Know

Zero Content Knowledge:

File contents
Document text
Spreadsheet data
Personal information
Business data
File names (optional)
User identity
IP addresses (after request)

Compliance Standards

Standard	Status	Details
GDPR	Compliant	No personal data storage, data minimization
CCPA	Compliant	No California resident data collected
SOC 2	Planned	Type II certification roadmap
HIPAA	Not Required	No health data storage, but secure processing
PCI DSS	N/A	No payment data handled

Security Incident Response

Our Security Commitments

If a Security Issue Occurs:

Immediate Response (<1 hour)
- Service isolation
- Threat assessment
- Mitigation deployment
Communication (<4 hours)
- Status page update
- Email to affected users
- Detailed timeline
Resolution (<24 hours)
- Fix deployment
- Security audit
- Prevention measures

Why We're Lower Risk:

No Data Storage = Minimal Impact

No historical data to breach
No user databases
No file repositories
No persistent secrets
Limited attack surface

Even if compromised:

Only in-flight data affected
No past conversions at risk
No future data exposed

API Security

Authentication & Authorization

API Keys

Unique per account
Revocable anytime
Rate limit enforcement
Usage tracking only

HTTPS Required

TLS 1.3 minimum
Strong cipher suites
Certificate validation
HSTS enabled

CORS Policy

Controlled origins
Preflight validation
Secure headers
XSS protection

Rate Limiting & Protection

graph TD A[Incoming Request] --> B{API Key Valid?} B -->|No| C[401 Unauthorized] B -->|Yes| D{Rate Limit OK?} D -->|No| E[429 Too Many Requests] D -->|Yes| F{File Valid?} F -->|No| G[400 Bad Request] F -->|Yes| H[Process Request] style C fill:#ffcdd2 style E fill:#ffcdd2 style G fill:#ffcdd2 style H fill:#c8e6c9

Security Best Practices for Users

How to Use Our Service Securely

DO

Use HTTPS for all requests
Validate the response before using
Implement timeout handling
Rotate API keys periodically
Monitor your usage patterns
Test with non-sensitive data first

DON'T

Don't send passwords in documents
Don't include API keys in files
Don't upload sensitive PII unnecessarily
Don't store API keys in code
Don't disable SSL verification
Don't ignore error messages

Handling Sensitive Documents

If you must convert sensitive documents:

Review the document first - remove unnecessary sensitive data
Use a secure connection (verified HTTPS)
Process during low-risk time windows
Verify the conversion completed successfully
Clear local copies after processing

Security FAQ

Q: Where are files stored?

A: They're NOT stored. Files exist only in memory during processing (typically 2-3 seconds) then are completely removed.

Q: Can you see my documents?

A: No. Our system processes files automatically without human access. No logging of content occurs.

Q: What about backups?

A: No backups exist. Since we don't store data, there's nothing to back up.

Q: Is my data encrypted?

A: Yes, in transit. All communications use TLS 1.3. In memory, data is processed in plaintext but never persisted.

Q: Who has access to the servers?

A: Limited Google Cloud team only. We use managed infrastructure with strict access controls.

Q: Can I verify no storage?

A: Yes. Our architecture on Cloud Functions literally has no persistent storage available.

Q: What logs do you keep?

A: Minimal operational logs only. Timestamp, status code, processing time. No document content.

Q: How can I be sure?

A: Our code architecture makes storage impossible. Stateless functions + no database = no storage.

Enterprise Security

Additional Controls for Enterprise Customers

Feature	Standard	Enterprise
IP Allowlisting		Restrict access to your IPs
Private Endpoints		VPC peering available
Audit Logs	Basic	Detailed access logs
SLA	Best effort	99.9% uptime guarantee
Support	Email	24/7 dedicated support
Compliance Docs	Self-service	Custom attestations

📞 Security Contact

Reporting Security Issues

If you discover a security vulnerability:

DO NOT post publicly
Email: lindsay@knowcode.tech
Include:
- Description of the issue
- Steps to reproduce
- Potential impact
- Your contact information

We respond to all security reports within 24 hours.

Regular Security Practices

Daily

Automated security scans
Log monitoring
Anomaly detection
Performance checks

Monthly

Dependency updates
Security patches
Access review
Incident drills

Annually

Third-party audit
Penetration testing
Architecture review
Policy updates

Enterprise On-Premise Option

Need absolute control? Deploy Convert To Markdown in your own Google Cloud account.

Complete data sovereignty - Your data never leaves your infrastructure
Full compliance control - Meet the strictest regulatory requirements
Customizable deployment - Modify and extend to your needs
Your monitoring - Integrate with your existing security tools
Your governance - Apply your security policies and controls

Contact us for Enterprise On-Premise deployment →

Why On-Premise?

Benefit	Description
Data Residency	Keep all processing within your geographic boundaries
Compliance	Meet HIPAA, SOC2, ISO 27001, or custom requirements
Integration	Connect directly to your internal systems
Customization	Modify the code to fit your exact needs
Control	Full visibility into every aspect of operation

Summary

Your Security is Our Priority

Convert To Markdown provides document conversion with:

ZERO data storage - Nothing saved, ever
Memory-only processing - No temp files
Encrypted transmission - HTTPS/TLS 1.3
Isolated execution - Sandboxed environment
Transparent practices - Clear documentation
On-Premise option - Deploy in your own infrastructure