Security

Secure by Design: How PrivConvert Isolates Every File Conversion

topriv Blog · June 19, 2026 · 5 min read

Most online file converters work the same way: you upload a file, it lands on a server, and code on that server opens it, reads it, and converts it. That creates two quiet risks. First, your file - which might be a contract, a medical record, or a personal photo - is now sitting on someone else's machine. Second, opening files you didn't create is one of the oldest and most dangerous jobs in software: a single malformed file can try to push a converter to misbehave.

PrivConvert is built around a simple commitment: a file you convert should never be able to reach your data, anyone else's data, or the rest of the system - and the moment the job is done, it should disappear. We call this secure by design, and it shapes every conversion that runs on the platform.

What happens to your file

The lifecycle of a conversion is intentionally short and one-directional. Your file goes in, the work happens inside a sealed space, you get your result, and then it's erased.

Your filegoes in
Isolated conversionno network
Your resultcomes out
Erasednothing kept

There's no step where your file is parked, profiled, or set aside. It exists only as data being processed, for as long as the conversion takes - and not a moment longer.

Three principles behind every conversion

1

Isolation

Each conversion runs inside its own locked-down sandbox, walled off from the rest of the system and from everyone else's jobs. Even a file built to attack the converter has nowhere to go.

2

Containment

Every job runs under strict resource boundaries. One file can't hog the system or affect anyone else, and if a job ever misbehaves the impact stays scoped to that single job.

3

Zero retention

Files are processed in memory and erased as soon as the job finishes. We don't keep copies, and we don't log the contents of your files.

No way out

The most important property of the sandbox is what it can't do. A conversion has no reason to reach the internet, so it simply can't - there is no path out to fetch a remote resource, phone home, or send your data anywhere. Each job is sealed on the way in and on the way out.

Sealed conversion Network
Files are converted inside a sealed boundary with no route to the network - nothing your file touches can reach the outside.

What this means for you

The difference between a conversion that's contained and one that isn't is invisible until something goes wrong. Here's how the everyday experience compares.

A typical online converter

Your file is uploaded and stored on a server. The same process may handle many people's files at once. Files and metadata can be logged or kept. You often have to create an account first.

PrivConvert

Each conversion runs in its own isolated, network-less sandbox. Jobs can't see each other. Files are processed in memory and erased immediately. No account, no tracking, no content logs.

Defense in depth, not a single wall

No single safeguard is ever the only thing standing between a file and your data. PrivConvert layers several independent protections, so that even in the unlikely event one of them failed, the others would still keep a conversion contained. Security that leans on one wall isn't really security - it's a single point of failure waiting to happen.

That layered approach is also why a hostile file gets nowhere. To cause harm it would have to break out of an isolated sandbox, get past strict resource limits, and find a network path that doesn't exist - all at once. Each layer is designed to hold on its own.

We don't just assume this holds - we test it. Our research team published the results of running thousands of deliberately hostile files through a confined conversion workload in a PrivLab containment study: every job stayed inside its own disposable boundary, with no escapes and nothing reaching the network.

Why we keep the “how” brief

You'll notice we describe what our protections do, not the exact nuts and bolts of how they're built. That's deliberate. Good security should never depend on secrecy - but it also shouldn't hand anyone a map. So we focus on the things you can actually verify yourself:

Privacy you have to take on faith isn't worth much. Privacy you can confirm - and that's reinforced by an architecture built to contain failure rather than hope it never happens - is the whole point.

Part of a privacy-first toolkit

PrivConvert is one of several tools topriv builds around the same principle: your data stays yours.

PrivConvert

Convert files privately. 200+ tools.

.priv Format

Open encryption standard

PrivDrop

Share files securely

Convert a file with PrivConvert, encrypt it with the .priv format, and share it with PrivDrop - all without your data ever being stored or studied along the way.

Convert a file the private way

No upload-and-pray. Isolated, in-memory, erased when it's done. No account, no tracking.

Try PrivConvert →

topriv builds privacy-first digital tools. Follow us on X, Telegram, YouTube, and TikTok.