Guide · Privacy
Are online file converters safe? A technical comparison
Cloud converters upload your file. Local converters don't. Here is what that actually means in practice — and how to verify it yourself in 30 seconds.
The two models, in one paragraph
A cloud converter (CloudConvert, Zamzar, Convertio, iLovePDF, SmallPDF) accepts your file via HTTPS upload, converts it on a rented server, stores the result on object storage (usually AWS S3), and hands you a download URL. A local converter — Morphix, ffmpeg.wasm demos, and a handful of others — ships the conversion engine as WebAssembly, so the same code runs inside your browser tab and the file never leaves your device.
Side-by-side comparison
Verify any converter yourself (takes 30 seconds)
- Open the converter in a new tab.
- Press F12 and switch to the Network tab.
- Tick Preserve log and set throttling to Slow 3G.
- Drop in a 50 MB test file and run the conversion.
- Sort by Size. A local converter shows only small JS/WASM downloads. A cloud converter shows a multi-megabyte
POSTorPUTto the operator's domain — that is your file leaving your machine.
Where WebAssembly changes the math
The reason local conversion is viable in 2026 (and wasn't in 2016) is WebAssembly. WASM lets us compile ffmpeg, PDF.js, libarchive, libheif, and Tesseract OCR into a sandboxed bytecode that runs at near-native speed inside the browser. Morphix ships those engines as WASM modules — the same binaries a server would use, just executing on your CPU instead of ours.
When cloud converters are still fine
- Public documents you'd happily post on Twitter.
- Very large videos where your device can't spare the RAM (Morphix streams these too, but a low-end phone may struggle).
- OCR on 500-page PDFs where a beefy GPU on the server would be faster.
When you really want local
- Passport / ID scans, birth certificates, driver's licences.
- Contracts, NDAs, tax returns, medical records.
- Unreleased product mockups, source code, internal wireframes.
- Anything covered by GDPR, HIPAA, or an employer's data-handling policy.
The Morphix Vault: one step further
When you need to send a file to someone else, in-browser conversion isn't enough — you also want the file encrypted end-to-end. The Morphix Vault wraps any file in AES-256-GCM with a PBKDF2-SHA256-derived key (250,000 iterations) using the browser's native Web Crypto API. Only whoever has the password can open it.