Security
How ReceiveVault keeps files safe
The technical building blocks behind secure file collection. Security is a shared responsibility - these are the controls we provide.
Every file is virus-scanned
Uploads are streamed through ClamAV before they land in your dashboard. Files flagged as malicious are quarantined and removed, and you are notified.
Encrypted in transit and at rest
All traffic runs over TLS. Files are stored in S3-compatible object storage with server-side encryption - never copied to third-party clouds.
Optional end-to-end encryption
On Business and Enterprise plans, files can be encrypted in the contact's browser with your account's public key, so their contents are unreadable by anyone but you - including us.
Full audit log
Every meaningful action - request created, link sent, file uploaded, file downloaded - is timestamped with the actor, giving you a defensible record of who did what, when.
No account for your clients
Contacts upload through a single-use magic link. There is no password for them to reuse or leak, and no extra account to manage.
Expiry and retention controls
Each request has a configurable expiry. After it passes, the magic link stops working. Files remain under your control until you delete them or your retention policy removes them.
Strong account security
Argon2id password hashing, TOTP and hardware-key (WebAuthn) multi-factor authentication, per-action re-verification, and new-device login alerts.
Canadian-hosted
The platform runs on Canadian infrastructure, built with PIPEDA, PHIPA, and Quebec Law 25 expectations in mind: minimum-necessary collection, encryption, audit logging, and expiry.
Have a security question or want to report a concern? Email support@receivevault.com.