Cette page est aussi disponible en English
Trust & security

You're about to depend on us. Here's why that's safe.

Enconvert is built and run by two founders, Het and Om, in Ahmedabad. You are weighing whether to make a small, unknown API a production dependency. This page is everything we would want to read before doing the same, written for engineers and not for lawyers. Every claim points at the mechanism behind it, and where we fall short we say so here instead of waiting for you to find out.

Last updated 3 July 2026security@enconvert.com
The honesty contract

Most scrapers lie to your agent. Ours files a report.

The failure that scares every AI engineer is not the crash. It is the silent lie: a scraper hands your agent a Cloudflare challenge page, the agent treats it as content, and acts confidently on garbage. You hear about it from a customer. The core of Enconvert is a refusal to do that.

Every read is scored, 0.0 to 1.0

Each /v2/perceive, /v2/distill, and /v2/watch render runs through a deterministic 8-signal quality model: anti-bot markup, CAPTCHA and bot-detection pages, login walls, empty bodies, JavaScript console errors, failed subresources, cross-domain redirects, and slow renders. The score comes back in the response, read from the real browser session.

A blocked page is named, not hidden

When a render trips the anti-bot, CAPTCHA, or login-wall detectors, the response carries an explicit warning naming the condition and the exact deductions that produced the score. You get the full output plus the truth about it, never a challenge page passed off as the answer.

We do not spend your money on a page that beat us

A page flagged as blocked never triggers paid LLM extraction. You get the heuristic result plus a warning explaining the skip, instead of tokens burned inventing structure from a challenge screen.

Reserved paths return 422, never a silent 200

Send an option we have not shipped yet and the API rejects it with a 422 that says so. It never accepts a parameter and quietly ignores it. Partial successes come back as named warnings, never a quiet shrug.

The honest limits of this
  • Detection is heuristic pattern-matching, not magic. On our 50-page labeled test corpus it catches 92% of blocked pages with a 4% false-alarm rate, so roughly 1 in 12 block pages can still score as passable. We publish the misses; we do not claim we catch everything.
  • Scoring covers perceive, distill, and watch. /v2/ingest renders pages but does not yet gate on the score, so a blocked page can enter a RAG corpus unflagged. That gate is on the roadmap and it is not done.
  • A low score flags and warns. It does not block delivery or refund the call, and it never silently withholds your content.
Operational transparency

Here is exactly what happens to your data.

No abstractions. Two flows cover almost everything Enconvert does: a file you upload, and a URL your agent reads. Here is each one, step by step.

A file you upload for conversion
  1. It arrives over TLS.
  2. It is checked against your plan's size limit and the accepted extensions for that endpoint.
  3. The filename is sanitized (path components and traversal sequences stripped) before it is used.
  4. The bytes are held in memory and passed straight to the converter. Your source file is never written to our storage.
  5. Only the converted output is stored, as a private object under your account's own key prefix.
  6. You download it through a pre-signed URL that expires in 15 minutes, and that URL is only signed after the server confirms the object belongs to your account.
  7. You can delete the output yourself at any time.
A URL your agent reads (V2)
  1. The URL is screened before anything fetches it (see security below).
  2. It is rendered in a fresh, isolated browser context that is destroyed after the request.
  3. The render is scored.
  4. You get back the content, the quality score, any warnings, a SHA-256 hash of the page as the site delivered it, and the final URL after redirects.
  • For URL conversions we retain the fully rendered HTML for a 90-day window to power quality scoring and caching. This is disclosed in the Privacy Policy, and any single request can turn it off with the X-Enconvert-No-Capture: true header, wired into the pipeline and not just written in a policy.
  • Converted files are kept for your plan’s retention window (from 1 hour on Free up to 30 days on higher tiers) and then deleted.
  • Metadata about a conversion (the endpoint, sizes, duration, and for URL jobs the source URL) is logged. Your file contents and rendered page bodies are not written to our logs.
Security

No badges. Mechanisms.

We cannot hand you a SOC 2 report. We can hand you the specific controls a SOC 2 report is a proxy for. Here they are, including where each one stops.

SSRF screening on V2 endpoints

A shared rendering service is a classic way to pivot into a vendor’s own network, so every caller-supplied URL on a V2 endpoint is screened before the browser touches it. Blocked: non-HTTP(S) schemes, embedded credentials, private / loopback / link-local / multicast / reserved address space, cloud metadata endpoints by both IP (169.254.169.254) and hostname (metadata.google.internal and friends), and non-standard IP notations (dotted-octal, hex, packed integer) that a validator and a browser can parse to different addresses. The screen runs on perceive, distill, discover (every link the crawler follows, not just the seed), watch (at creation and again before every scheduled check), ingest, and on your webhook URL right before every delivery.

Where it stopsThis is V2 only. The older V1 url-to-pdf, url-to-screenshot, and url-to-markdown endpoints predate this module and are not screened. Two residual gaps are documented in our own source and being hardened: DNS rebinding (the browser re-resolves the host after we checked it) and a public URL that redirects to an internal one after the screen. The screen covers the page you request, not every subresource it loads.
API keys and access

Keys carry 256 bits of randomness from a CSPRNG and are stored only as a SHA-256 hash with a short display prefix. The plaintext is shown once at creation and is not recoverable, by you or by us. Revoking a key takes effect on the very next request. Keys can be scoped to specific endpoints and domains, enforced server-side on every call. Secret (sk_) keys are refused outright from a browser; publishable (pk_) keys can only mint short-lived, origin-bound tokens for the domains you whitelist. Browser and widget sessions use 1-hour access tokens; the 7-day refresh token lives in an HttpOnly, Secure cookie that JavaScript cannot read.

Where it stopsThe key hash is unsalted SHA-256 (correct for high-entropy random keys, and different from the bcrypt we use for passwords). A token already minted stays valid until it expires, up to one hour, even after you revoke the key it came from. There is no per-second rate limiter today; spend is instead bounded by hard plan quotas checked before every operation.
Webhooks you receive

Every V2 completion and change webhook (ingest, watch) is signed HMAC-SHA256 with the delivery timestamp bound into the signature, Stripe-style, and sent as X-Enconvert-Signature and X-Enconvert-Timestamp. That lets your consumer verify the sender and reject replays. The signing secret is per-project, generated from a CSPRNG, revealed only over the authenticated dashboard, and rotatable instantly. A reference verifier using constant-time comparison ships with it, and deliveries retry on backoff, each attempt re-signed with a fresh timestamp.

Where it stopsV2 webhooks only. The legacy V1 async-conversion callback is unsigned by frozen design; if you use it, do not rely on it for authenticity.
Billing you can audit

Every billable conversion writes an append-only ledger row keyed by a deterministic idempotency key, and the counter only moves when that row is inserted, in the same transaction, so a retried or duplicated request cannot be counted twice. Failed conversions, failed renders, and quota-denied requests are never billed. When you hit a plan limit you get a 402 with your exact usage numbers, before any work runs. LLM extraction spend sits behind an atomic reserve-and-settle cap that fails closed, and a nightly job re-derives every counter from the raw ledger and reports drift rather than silently rewriting your bill.

Where it stopsThe quota check and the increment are two steps, so at a cap boundary concurrent requests can overshoot by a handful of operations, always in your favor. Overage billing only ever applies if you explicitly turn it on.
Your side of the fence

Four things that keep your account safe, on your side.

Keep sk_ keys server-side

Secret keys are rejected from browsers on purpose. Use a pk_ publishable key, locked to your domains, for anything client-side.

Verify webhook signatures

Recompute HMAC-SHA256 over <timestamp>.<body> with your project secret, compare in constant time, and reject anything older than five minutes. Reference code is in the docs.

Scope your keys

A key restricted to the one endpoint it needs cannot do anything else if it leaks. Scope by endpoint and domain when you create it.

Rotate on exposure

Rotate a webhook secret or revoke and re-create a key from the dashboard the moment you suspect exposure. Revocation is immediate.

Reliability

Receipts, not promises.

A young vendor cannot borrow trust from logos. So here is what is actually built, what is actually tested, and honest answers to the failure simulations you are already running in your head.

A restart never strands your job

If the server restarts mid-flight, interrupted batch operations are marked failed with an explicit 'resubmit' reason, ingest jobs resume from durable per-page state, and monitors catch up on their own because their schedule lives in the database. The old failure mode of a job stuck 'In Progress' forever does not happen here.

One bad input fails only itself

A single unrenderable URL fails its own operation and the rest of your batch completes with partial results. A crashed job never takes down the worker loop.

A monitor that goes blind tells you

A page watcher that fails three checks in a row pauses itself and emails you, instead of silently pretending to watch.

The safety behaviors are the ones we test

There are 380-plus automated tests aimed squarely at these behaviors: block-detection boundaries, webhook signature-forgery rejection, batch partial-failure, and byte-level render regression against golden fixtures. The quality scorer is gated against a 50-page labeled corpus at 92% detection and 4% false alarms, with the known misses committed to the repo rather than hidden. Honest note: these tests run manually, not in CI yet.

Live at status.enconvert.com. Continuous monitoring started 29 June 2026, so the history is short. We would rather show you four honest weeks than a fabricated year.

What happens when you have an outage?

Enconvert runs in a single region today. The status page is public and we are alerted automatically. There is no faceless 24/7 support desk. There are two founders, and one of us is reachable.

What happens when a founder is unavailable?

There are two of us, by design. Het runs the product day to day; Om covers when Het is not available, and the reverse. On a normal day neither of us needs to press a button anyway: workers self-heal and are restart-safe, monitors auto-pause when they break, and billing periods rotate themselves.

What happens when your traffic spikes?

Renders currently serialize through one node, one at a time, which is a real ceiling we are honest about. Fast conversions return synchronously; heavy or bursty work degrades to async jobs rather than failing. Scaling horizontally is planned work, not shipped work.

What happens when Enconvert shuts down?

This is the real question for a young vendor, so here is a real answer. First, the API is stateless: your files live for minutes and hours, not years, so there is no data to hold hostage, and migrating off is swapping an endpoint, not exporting a database. Second, if we ever wind Enconvert down, you get at least 6 months’ written notice. Third, on shutdown we release the core conversion code to paying customers, so you are never stranded on a dead black-box API. We put that in writing here on purpose, because most vendors will not.

Data

What we will never do with your files.

  • We never train models on your files or your content.
  • We never sell or share your data.
  • Uploaded source files are processed in memory and are not stored; only your converted output is, under your account's prefix, deletable by you.
  • Downloads are private and time-boxed: signed URLs, 15-minute expiry, ownership-checked before signing.
The full list of subprocessors, named:
  • DigitalOcean SpacesObject storage for your converted outputs.
  • AnthropicLLM extraction, and only on plans where you have enabled it. When you use it, trimmed page content is sent to Anthropic to extract structured data. If your plan does not use LLM extraction, your content never leaves Enconvert’s infrastructure for this.
  • SerperThe search provider behind /v2/lookup. Your search query text is sent to Serper.
  • PayPalPayment processing and billing.
Honest fit

Reasons not to use Enconvert.

Every honest pitch includes the cases where it is the wrong call. Here are ours.

  • You need SOC 2 or HIPAA attestation todayWe do not have them. If a certificate is a hard procurement gate for you, we are not there yet.
  • You need a contractual 99.99% SLA with penaltiesA two-person company cannot honestly write that. If you need it in a contract, use a larger vendor.
  • You need on-prem or self-hostingNot offered. Enconvert is a hosted API only.
  • You process very large filesThere are per-plan size caps, from small on the free tier up to the Production tier. Past that, this is the wrong tool.
  • A tiny team is a dealbreaker for youThat is a legitimate position. Everything above is designed to make it a smaller risk than it sounds, but we are not going to pretend it is zero.
Accountability

Two names. Reachable.

We built Enconvert because we got tired of gluing five vendors together to let an agent read a file and a web page, and tired of the ones that lie when a page fights back. It is bootstrapped. There are no investors, and revenue comes only from subscriptions, which means the product’s only job is to keep working for the people paying for it. Support is answered by the people who wrote the code. If something breaks, you know exactly who to email.

Het DaveCo-founder · Ahmedabadhet@getenconvert.com
OmCo-founder · Ahmedabadom@getenconvert.com

Don't trust this page. Check it.

Everything above is meant to be verifiable. The best way to trust an API is to use it and watch what it does. Run 100 operations on the free tier, point /v2/perceive at a page you know is hard, and read the score it gives back.

Found a security issue? Email security@enconvert.com. We read every security report and answer within a business day.

Free while in beta. 100 operations a month, no credit card.