Compliance8 min

GDPR, HIPAA, and Client Files: When You Must Avoid Cloud Converters

A plain-English guide to the moments when uploading a file to a free online converter becomes a legal problem — and the browser-based alternative that avoids it.

This post is general information, not legal advice. Zro7 never uploads your files, which is why it sidesteps most of what follows.

Uploading a document to a free online converter feels harmless. For most personal files it is. But if that document contains a client's data, a patient record, or a European resident's personal information, the upload itself can trigger obligations under GDPR, HIPAA, or your firm's confidentiality rules. This post walks through when those obligations kick in — and how using a browser-based tool like Zro7 keeps you clear of them.

The rule that catches everyone off guard

GDPR, HIPAA, and most enterprise data-protection policies share one idea: processing personal data is regulated, and "processing" is defined so broadly that uploading a file to a converter counts. The moment your file leaves your device, a third party is processing personal data on your behalf. Unless there's a written contract in place with that third party, you've likely violated policy — sometimes law.

GDPR: the Data Processing Agreement problem

Under GDPR Article 28, if a service processes personal data on your behalf they are a "processor" and you must have a Data Processing Agreement (DPA) with them. Free online converters do not sign DPAs with individual users. So when a European lawyer uploads a client contract to a free PDF splitter, three GDPR problems appear at once:

  1. No DPA with the processor (Article 28).
  2. No lawful basis to transfer the client's data to that processor (Article 6).
  3. If the converter is in the US, a cross-border transfer with no safeguards (Chapter V).

Fines aside, the client can file a complaint with a supervisory authority. This has happened.

HIPAA: the BAA problem

In US healthcare, any vendor that processes Protected Health Information (PHI) is a "business associate" and needs a signed Business Associate Agreement (BAA). No consumer file converter offers a BAA. Uploading a patient PDF to convert it is a HIPAA breach on the day you do it — the size of the file doesn't matter, and "but they promise to delete it in an hour" doesn't help.

The categories of file you should never upload

  • Signed contracts, NDAs, and settlement agreements
  • Passports, ID cards, driver's licenses
  • Patient records, lab results, medical imaging
  • Client account statements and financial disclosures
  • Anything marked confidential, privileged, or under seal
  • Any file whose name contains a client identifier

Why browser-based tools avoid the whole problem

When a Zro7 tool runs the conversion in your browser, no third party processes your data — because there is no third party. GDPR Article 28 does not apply, because there is no processor. HIPAA does not apply, because there is no business associate. Your firm's DLP policy does not flag anything, because nothing left the endpoint. You can audit this yourself: open the tool, open DevTools → Network, run the conversion, and verify that no request carries your file's bytes off the device.

A safer default workflow

  1. For anything containing a client's data, use a browser-based tool. Merge PDF, Compress PDF, Lock PDF, and 90+ more run in the browser.
  2. For workloads too big for one machine (rendering a two-hour 4K video), use a cloud service you have a DPA / BAA with — not the first free converter that Google returns.
  3. Never paste a client file into a chat assistant unless your firm has a signed data-handling agreement with that assistant's vendor.

The one exception where cloud is fine

If the file contains no personal data — a marketing PDF, a stock image, an open-source dataset — cloud converters are legally fine. The rules exist to protect the identifiable, sensitive, or confidential subset. Recognize the subset, treat it differently.

Frequently asked questions

Does 'the file was deleted in one hour' fix the problem?

No. Under GDPR and HIPAA, the violation happens the moment the data reaches the processor without a contract. Retention duration is a separate consideration.

What about paid tiers of cloud converters?

Some enterprise tiers offer DPAs and, occasionally, BAAs. You must have the signed document in hand before uploading regulated data.

Is Zro7 compliant with GDPR / HIPAA?

Zro7 never receives your data, so there is nothing for Zro7 to be compliant about. The obligation lives with the party that processes the data — us not being one of them is the point.

Can my IT team block cloud converters and still let me merge PDFs?

Yes — that's a common enterprise setup. Zro7 works fine behind DLP because there is no outbound file transfer to block.

What about desktop apps?

Desktop apps that run locally are equivalent from a compliance standpoint. Zro7 happens to give you the same guarantee without an install.

Related posts

← Back to blog