Built to Keep Files Safe
VaultX was designed from the ground up for professionals who handle sensitive documents. Here is exactly how we protect your data and your clients' data.
How VaultX protects your files
Multiple layers of security — from the moment a file is uploaded to the moment it is downloaded.
Encryption in transit
Every file uploaded to or downloaded from VaultX travels over TLS (HTTPS). Data is never transmitted in plaintext — your clients' documents are protected from the moment they click Upload.
Encrypted storage
Files are stored on AWS S3 with server-side encryption (AES-256) enabled by default. Your documents are encrypted at rest — no one can read the raw objects without authenticated access.
SHA-256 hashed API keys
API keys are generated with cryptographic randomness (nanoid) and stored as SHA-256 hashes — never in plaintext. Even if the database were compromised, your API credentials remain protected.
Optional password protection
Add a password to any upload link before sharing it. Only recipients who know the password can access the link — keeping different clients' portals completely isolated from each other.
Strict file validation
VaultX blocks executable files and dangerous MIME types at the API level before they reach storage. .exe, .js, .sh, and other risky file types are rejected outright.
Access-controlled sharing
Shared document links are scoped to individual files and can be revoked at any time. Viewers access only what you explicitly share — nothing in your vault is public by default.
Security headers on every response
VaultX's middleware sets industry-standard HTTP security headers on every page and API response.
HTTPS / HSTS
Forces all connections over TLS. Downgrades to HTTP are refused.
Content-Security-Policy
Restricts which scripts and resources can load on VaultX pages.
X-Frame-Options: DENY
Prevents clickjacking by blocking VaultX from being embedded in iframes.
X-Content-Type-Options
Stops browsers from MIME-sniffing responses away from declared content types.
CORS controls
Upload API endpoints only accept requests from authorised origins.
Infrastructure you can rely on
AWS S3 storage
Files are stored on Amazon S3 — the same infrastructure used by the world's largest enterprises. Server-side AES-256 encryption is enabled on every bucket.
Presigned URLs for downloads
File downloads use time-limited presigned S3 URLs. Direct access to your stored objects is never exposed — each download link expires after a short window.
Session-based authentication
VaultX uses server-side session authentication via Better Auth with Google OAuth. No passwords are stored — there is no password database to breach.
Isolated database schema
All VaultX data lives in a dedicated PostgreSQL schema — logically isolated from any other data. Access is restricted to the application layer only.
What we don't do
We do not sell your data or your clients' data to third parties.
We do not scan the contents of uploaded files for advertising purposes.
We do not require uploaders to create an account — their personal data is never collected.
We do not store API keys in plaintext — they are hashed before storage.
We do not allow executable or script file types to be uploaded.