Security

This page describes the threat model for InstantFileTools and other Merge Everything products. It is written in plain English so a non-engineer can evaluate it, and links the technical primitives where appropriate.

What we protect, what we don't

We protect: the contents of the files you process. Every file operation runs in your browser. The server hosting the product has no API endpoint that accepts file content. We literally cannot read your files because they never travel to us.

We do not protect against: a compromised device or browser, malicious browser extensions, screen recording on your machine, or operating-system-level keyloggers. These threats sit inside your trust boundary, not ours.

Threat model

• Passive network attacker. Cannot see your file content because it is never sent. Could see the URLs you visit (mitigated by HTTPS + HSTS).
• Active network attacker. Could attempt to MITM the static bundle (mitigated by HTTPS, HSTS preload, and Subresource Integrity for CDN-loaded libraries).
• Merge Everything employees. Have no access to user files (none are stored). Have access to Plausible analytics (aggregated, cookieless) and Vercel deployment metadata.
• Cloud provider. Vercel hosts our static bundle and serves the few API endpoints (Stripe webhook, license validation). Neither endpoint accepts file content.
• Subpoena / legal request. We could only hand over data we have. We have no file content. We have aggregated Plausible metrics and a Stripe subscriber list.

Technical safeguards

• Transport: HTTPS with HSTS preload, modern TLS only.
• Headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection.
• Tracking: Plausible Analytics — cookieless, aggregated. No third-party trackers.
• Sign-in: Google OAuth, used only for Pro subscriber linkage. Email is the only field stored.
• Payments: Stripe Checkout. We never touch card data; only a subscription ID is stored client-side.
• Webhook integrity: Stripe webhook signature verified with HMAC-SHA256 + replay window. Mismatch → 400.

How to verify yourself

We strongly encourage technical users to verify our claims rather than trust them. The two-minute test:

1. Open instantfiletools.com/compress-pdf in Chrome.
2. Open DevTools → Network tab.
3. Upload a small test PDF.
4. Click "Compress." Observe network traffic during processing.
5. You will see asset loads (libraries, fonts) but no request body containing the PDF.
6. For belt-and-braces: turn off your network connection after the page loads. The tool still works.

Reporting a vulnerability

Email security@mergeeverything.com. We acknowledge within 72 hours. We do not currently run a bug bounty but credit responsible reports on this page.