Document Security
File validation, checksums, and secure storage.
Document Security
Gatherly implements multiple layers of security to protect your documents and client data.
File Security
Upload Validation
Every file upload is validated:
| Check | Description |
|---|---|
| File Type | Verified against allowed types (PDF, images, documents) |
| File Size | Enforced against configured limits |
| Malware Scan | Scanned for viruses and malicious content |
| Filename | Sanitized to remove unsafe characters |
Integrity Verification
Each file is checksummed on upload:
SHA-256 hash
Generated for every file on upload
Hash verification
Stored for future integrity verification
Tamper detection
Detect any tampering or corruption
Secure Storage
Files are stored securely:
| Feature | Description |
|---|---|
| Hashed paths | Filenames don't reveal content |
| Encrypted at rest | AES encryption for sensitive data |
| Access controlled | Only authorized users can access |
| Audit logged | Every access is recorded |
Access Control
Multi-Tenant Isolation
Your data is completely isolated:
- Each organization has its own data space
- Users can only access their organization's data
- No cross-organization data leakage possible
Role-Based Access (RBAC)
Access is controlled by roles:
| Role | Access Level |
|---|---|
| Owner | Full access to all data and settings |
| Admin | Full data access, limited settings |
| Member | Access to assigned requests and clients |
Secure Link Security
Client Portal access is secured:
- Unique tokens per client and Document Request
- SHA-256 hashed tokens
- Configurable expiration (1-30 days)
- Automatic invalidation on regeneration
Data Protection
Encryption
| Data Type | Protection |
|---|---|
| Data in Transit | HTTPS/TLS for all communications |
| Data at Rest | AES encryption for sensitive fields |
| Passwords | Secure hashing (bcrypt) |
| Tokens | SHA-256 hashing |
Rate Limiting
Protection against abuse:
| Endpoint | Limit |
|---|---|
| Authentication | 10 requests per 15 minutes per IP |
| Password Reset | 5 requests per hour per email |
| File Upload | Based on plan limits |
CSRF Protection
All forms protected against Cross-Site Request Forgery attacks.
Signature Security
Digital signatures have additional security:
- Cryptographic signing using PKCS#7
- Timestamp Authority (TSA) integration (RFC 3161)
- Hash verification for document integrity
- Certificate chain validation
See Digital Signatures for details.
Secure Communication
Email Security
- Transactional emails via Resend (enterprise-grade)
- SPF, DKIM, and DMARC configured
- Secure Links sent over TLS
API Security
- All API calls require authentication
- JWT tokens with expiration
- Request validation and sanitization
Compliance
Gatherly is designed for compliance with:
| Standard | Description |
|---|---|
| GDPR | EU data protection regulation |
| eIDAS | EU electronic signatures regulation |
| ESIGN Act | US electronic signatures law |
| SOC 2 | Security practices (in progress) |
See GDPR Compliance for privacy-specific features.
Security Best Practices
For Administrators
Best Practices
- Use strong passwords - Minimum 12 characters with mixed types
- Enable MFA - Add multi-factor authentication for team accounts
- Review team access - Regularly audit team member permissions
- Set short link expiry - Shorter Secure Link expiry for sensitive Document Requests
- Monitor audit logs - Review activity for suspicious behavior
For Clients
Client Security Tips
- Don't share Secure Links - Links are personal and non-transferable
- Verify the sender - Confirm emails come from your organization
- Check the URL - Ensure you're on the correct domain
- Complete promptly - Don't leave requests open indefinitely