Axerity Docs
Files

Security

How files are stored, encrypted, and protected from accidental exposure.

Files holds the kinds of documents you don't want sitting on someone else's server. Here's how it's actually protected.

Encryption at rest

Every uploaded file is encrypted in S3 using AES-256 server-side encryption (SSE-S3). The upload request includes a header forcing it, and the bucket policy (recommended setup) rejects any PUT that doesn't. A leaked storage backup is unreadable without the encryption keys.

What this isn't: end-to-end encryption. We hold the keys (S3 manages them on our behalf). If you compromised our infrastructure, you could read files. E2E (client-side encryption with org-held keys) is on the roadmap.

Opaque object keys

The S3 object key for a file is ${orgId}/${randomUuid}. Not the filename. Not the folder path. So:

  • A leaked storage key is mostly useless without our database.
  • An accidentally-public bucket listing leaks no filenames.
  • Filenames live only in our Postgres database.

Bytes never touch our app server

Uploads use presigned PUT URLs valid for 5 minutes. Downloads use presigned GET URLs also valid for 5 minutes. Our Next.js server only issues these URLs and tracks metadata. The bytes themselves go directly between your browser and S3.

This means:

  • No memory pressure on our server from large uploads.
  • No bandwidth bottleneck.
  • Smaller blast radius for any app-layer vulnerability — your files aren't even on the path.

Every action is authorized

Before issuing a presigned URL — upload or download — we check:

  1. You're authenticated (session or API key).
  2. The file/folder belongs to your active organization.
  3. (For API keys, in the future) the key has the right scope.

A user from Org A cannot generate a download URL for a file in Org B. Period.

Audit log

Every upload, download, rename, move, and delete writes an append-only row in file_audit_log. The log survives even file deletion. See Sharing.

What we don't have yet

Be honest about the gaps:

  • End-to-end encryption. We hold the keys.
  • Client-side virus scanning. No file scanning.
  • DLP / sensitive data detection. None.
  • Customer-managed keys (KMS). Not yet.
  • Data residency. Single region currently (US East).
  • SOC 2. Audit hasn't happened.

The privacy posture is strong by default for the threat model of a small business — accidental leaks, scraping, casual snooping. It's not yet hardened for "we're under active nation-state attack." Roadmap.

Sharing

Short-lived signed URLs, and the audit log that records every access.

Agents in Axerity

What the in-app AI can do, where to find it, and the rule it never breaks.

On this page

Encryption at restOpaque object keysBytes never touch our app serverEvery action is authorizedAudit logWhat we don't have yet