Skip to main content
byosportal
← Home

Security

byosportal is the secure front desk in front of storage you already own. Your files stay in your bucket — we never take custody of them.

Version 1.0, effective 1 June 2026.

We never touch your files

Bytes travel directly from your own cloud bucket to your client. We generate time-limited access links from your credentials, but the file itself never passes through, and is never stored on, our servers.

  • Your file contents — bytes travel directly from your own bucket to your client; nothing passes through our servers.
  • No second copy of your files in our infrastructure — we are never part of your data-custody chain.

What we store (metadata only)

We store only the metadata required to operate the service:

  • File names, sizes, and the object path (key) of the files behind the links you create.
  • Access timestamps and success/failure for each download and confirmed upload.
  • The approximate region of an access — the country — derived from the IP and stored on the access record. The raw IP itself is never stored.
  • A salted, non-reversible hash of the accessing IP — never the IP itself.
  • The browser User-Agent string of an access.
  • For file requests (upload links), the name and email address your uploader chooses to provide.
  • Your cloud credentials, encrypted with AES-256-GCM and decrypted in memory only, never logged.

Encryption

The following measures are committed contractually in our Data Processing Agreement.

  • Cloud credentials are encrypted at rest with AES-256-GCM and decrypted in memory only, at the moment a link is minted.
  • All traffic is served over TLS 1.2+.
  • Share-link passwords are hashed with bcrypt (cost ≥ 12) and are never stored or returned in plaintext.
  • Account sign-in is handled by Hanko; we never hold your account password.

Link security

Download links are backed by short-lived, signed URLs minted fresh on each download — they expire up to 5 minutes after they are issued. For full transparency: revoking a link in the dashboard stops new links being minted, but a signed URL already handed out remains valid until it expires (at most 5 minutes).

For large downloads on paid plans, an interrupted transfer can refresh its link within a bounded session window (up to 6 hours) so it can resume without counting as a new download — each refreshed URL still expires within 5 minutes, and revoking the link stops any further refreshes immediately.

Sub-processors

We rely on a small set of sub-processors for metadata and operations. File bytes never reach any of them. The full list and the terms that bind them are set out in our Data Processing Agreement.

  • VercelApplication hosting (metadata only — never file bytes). Processing location: [location — to be completed before launch]
  • Managed PostgreSQLMetadata database — file names, sizes, access audit; never file contents. Processing location: [location — to be completed before launch]
  • HankoManaged authentication (sign-in, account identity). Processing location: Frankfurt, Germany (EU)
  • ResendTransactional email (download notifications, account email). Processing location: [location — to be completed before launch]
  • StripeSubscription billing. Processing location: [location — to be completed before launch]

Incident response

On confirming a security incident affecting your data, we commit to notifying you within 72 hours — supporting the service-provider oversight expectations of SEC Regulation S-P. These commitments are set out in full in our Data Processing Agreement.

Shared responsibility

Because your files live in your own cloud account, your bucket’s access controls are yours to set. We provide a connection test and a setup checklist, but we cannot enforce your bucket’s permissions. We recommend blocking public access, enabling server-side encryption, and turning on access logging.

For law firms

Because file contents never leave your own infrastructure, byosportal maps directly onto the “reasonable efforts” standard of ABA Model Rule 1.6(c) and Formal Opinion 477R — including the protection of file metadata. The limited metadata we process is covered by our Data Processing Agreement.

For financial & accounting firms

Keeping client data in your own bucket is a direct answer to SEC Regulation S-P’s safeguarding and service-provider oversight requirements: your records stay under your control, and our 72-hour breach-notification commitment supports your own incident-response program.

A note on session cookies

Our authentication cookie is set by Hanko’s browser SDK and is readable by first-party JavaScript on our origin. We constrain that surface with a strict Content-Security-Policy (script nonces plus strict-dynamic) on every authenticated and public file page; the sign-in page relaxes only style rules for the embedded Hanko component.