Security Practices
How we protect your files and data
Encryption Architecture
At Rest
- AES-256-GCM: Industry-standard authenticated encryption for all files
- Unique Keys: Each file encrypted with its own randomly generated 256-bit key
- Key Isolation: Encryption keys stored separately from encrypted files
- Master Key: Keys themselves encrypted with a master key managed via secrets rotation
In Transit
- TLS 1.3: All API traffic encrypted with modern TLS
- Certificate Pinning: SDK validates server certificates
- HSTS: HTTP Strict Transport Security enforced
Authentication & Authorization
- Password Security: Bcrypt with 12 rounds, minimum 8 characters, complexity requirements
- JWT Tokens: Signed with HS256, 30-day expiration, secure httpOnly cookies in web app
- API Keys: SHA-256 hashed, scoped permissions, revocable at any time
- 2FA (Coming Soon): TOTP-based two-factor authentication
- Session Management: Automatic logout after 30 days of inactivity
Infrastructure Security
- Hosting: Railway infrastructure with SOC 2 Type II compliance
- Database: Encrypted PostgreSQL with automated daily backups
- Network Isolation: Private VPC, no public database access
- DDoS Protection: Cloudflare enterprise protection
- Rate Limiting: Per-IP and per-user limits to prevent abuse
- WAF: Web Application Firewall with OWASP ruleset
Access Controls
- File-Level Permissions: Each file owned by specific user account
- Share Tokens: Cryptographically random, time-limited sharing links
- Owner Verification: Server validates ownership before serving original files
- Access Logging: All download events logged with timestamp, IP, user agent
- Anomaly Detection: Automated alerts for suspicious access patterns
Application Security
- Input Validation: All user input sanitized and validated
- SQL Injection Prevention: Parameterized queries via Drizzle ORM
- XSS Protection: Content Security Policy headers, output encoding
- CSRF Protection: Anti-CSRF tokens on all state-changing operations
- File Upload Validation: Type checking, size limits, malware scanning
- Dependency Scanning: Automated vulnerability scanning with npm audit
Data Protection
- Backup Strategy: Automated daily backups with 30-day retention
- Disaster Recovery: Multi-region backup storage, 4-hour RTO
- Data Deletion: Secure deletion with overwrite (DoD 5220.22-M standard)
- Retention: User data deleted within 30 days of account closure
- Audit Logs: 90-day retention for security and compliance
Monitoring & Incident Response
- 24/7 Monitoring: Automated alerts for security events
- Intrusion Detection: Real-time threat detection and blocking
- Incident Response: Documented procedures with 1-hour response SLA
- Breach Notification: Email notification within 72 hours per GDPR
- Forensic Logging: Immutable audit trail for security investigations
Compliance & Certifications
- GDPR: Full compliance with EU data protection regulations
- CCPA: California Consumer Privacy Act compliance
- SOC 2 Type II: Infrastructure provider certification
- PCI DSS: Payment processing via Stripe (Level 1 PCI compliant)
- Regular Audits: Annual security assessments and penetration testing
Development Security
- Code Review: All changes reviewed before deployment
- Secrets Management: No secrets in code, environment variables only
- Dependency Updates: Weekly automated security updates
- Static Analysis: ESLint security rules, TypeScript strict mode
- CI/CD Security: Automated security scans in build pipeline
Vulnerability Disclosure
We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue:
- Report: Email [email protected] with details
- Response: We'll acknowledge within 24 hours
- Timeline: We aim to patch critical issues within 48 hours
- Recognition: Security researchers credited in our hall of fame
- Bug Bounty: Rewards for qualifying vulnerabilities
Best Practices for Users
Help us keep your files secure:
- Strong Passwords: Use unique, complex passwords (minimum 12 characters)
- API Key Security: Never commit API keys to public repositories
- Share Carefully: Only share download links with intended recipients
- Monitor Access: Regularly review access logs for your files
- Report Issues: Contact us immediately if you notice suspicious activity