Security and Compliance

1. Security Architecture

At HeicToPng.org, security is not an afterthought; it is embedded in our core architecture. We employ a Zero-Trust, Client-Side model to ensure the highest level of data protection.

1.1. Client-Side Isolation

Unlike server-side converters that require you to upload potentially sensitive documents to a cloud server, our tool processes data exclusively within your browser’s "Sandbox" environment.

• No File Transit: Your HEIC files never travel over the internet to our servers.
• No Database Storage: We do not maintain a database of user files.
• Reduced Attack Surface: Since we don't hold your data, we are not a target for data breaches aimed at stealing user content.

2. Network Security

2.1. HTTPS Encryption (TLS 1.3)

All communications between your browser and our website content delivery network are encrypted using Transport Layer Security (TLS). This ensures that no third party can inject malicious code or eavesdrop on your session metadata.

2.2. Content Security Policy (CSP)

We implement strict Content Security Policies to prevent Cross-Site Scripting (XSS) and other code injection attacks, ensuring the integrity of the conversion scripts running in your browser.

3. Compliance Statements

3.1. General Data Protection Regulation (GDPR)

HeicToPng.org is fully compliant with the GDPR. Our unique architecture ensures that we act as a tool provider rather than a data processor of your file contents, as we never have access to them.

3.2. California Consumer Privacy Act (CCPA)

We respect the privacy rights of California residents. We do not sell your personal data. Any data collection is limited to standard analytics required for site maintenance and optimization.

4. Vulnerability Reporting

We welcome feedback from the security community. If you discover a potential security vulnerability in our Service, please contact us immediately at security@heictopng.org. We will investigate the issue promptly.