Security

How C4File.com handles your files and data

Your files stay on your device

Conversion happens entirely in your browser using WebAssembly. File data is never transmitted to any server. This is an architectural property of how the site is built.

Verify it yourself

You don't have to take our word for it. Two quick checks anyone can run in the browser:

1. Check the Network tab

   Open DevTools (press F12 on Windows or Linux, or Cmd+Option+I on Mac), go to the Network tab, and convert a file.

   Filter by Fetch/XHR or sort by size. You'll see requests for static assets (HTML, CSS, JS, WASM, images), plus analytics only if you allowed it. There are no upload or multipart requests containing file data.

2. Read the Content-Security-Policy

   Our CSP header tells the browser which hosts the page is allowed to talk to. No arbitrary upload endpoint is on that list, so even if something in our page tried to send your file somewhere, the browser would block it.

   View the header live in DevTools (F12 on Windows or Linux, Cmd+Option+I on Mac) → Network → click any request → Response Headers.

Hosting

C4File.com is a static site served by Cloudflare. Cloudflare carries the tool's HTML, CSS, JavaScript, and WebAssembly binary to your browser. Because your file never enters a network request, Cloudflare never sees your file data.

Tool code carrier

Cloudflare

Customer file data

Stays on your device. Never transits Cloudflare or any other network.

TLS

TLS 1.3, HSTS enabled, strict Content-Security-Policy

Analytics

Google Analytics 4. GA does not receive your file data.

Operator Security

C4File.com is built and operated by Secureframe, a US-based compliance automation platform trusted by thousands of organizations and defense contractors. Secureframe holds:

See our full trust center at trust.secureframe.com.

Reporting a security issue

To report a security vulnerability in C4File.com, email [email protected] with the subject line C4File.com security report.