Your creative. Your partners’ creative. Both safe.

Every file you or your partners upload lives in Cloudflare R2, encrypted at rest with AES-256. Every byte moves over TLS 1.3. No unencrypted bucket exists anywhere in our stack.

Database records (D1) are encrypted at rest. Secrets (API keys, magic-link signing key) are stored as Cloudflare Worker Secrets, never in the repo.

Files are never served from a public bucket. Every download goes through a Worker that verifies either (a) a signed, scoped magic-link token, or (b) an authenticated session in the right workspace.

Your team is role-gated: owner, admin, coordinator, viewer. Contracts collection is admin-only by default. Collections can be further restricted to specific people.

When you send a link to a partner, it's a signed JWT scoped to one assignment or one delivery. They never create an account. The link itself is the credential.

Every link has an expiry (default 90 days, configurable). Every open, download, and acknowledgement is logged. Revoke anytime.

We record every meaningful action: links sent, opened, downloaded, signed, delegated, approved. IP hashes + user-agents on recipient actions make tampering provable.

Admins can export the full audit log as CSV from Settings. For enterprise customers we can stream it to your SIEM.

By default we keep assets as long as your workspace is active. Collections can set a retention window of 30, 60, 90, or 180 days; automated purge of expired files is rolling out now, and until it lands, retention-window deletions are processed on request. Deleted files leave backups within 35 days.

On-demand delete is instant: click delete, it's gone from the active store in under a minute.

Audio submissions can be forensically watermarked with ID3v2 tags linking the file to the specific recipient who received it. If a leak happens, we can identify the source.

Signed contracts are tamper-evident: we record a SHA-256 hash of the exact PDF bytes plus the signer audit trail at signing time, and any modification to the signed artifact no longer matches the recorded hash, verifiable at /verify/[contractId]. Cryptographic signing with a dedicated key is on the security roadmap.

File safety: inbound uploads are spec-validated and type-checked at the edge. Full server-side antivirus scanning is on the roadmap for later this year; until then, treat partner uploads with the same care as email attachments.

Workspace admins can export all data as JSON + attached files, and can permanently delete a workspace in one click. Deletion cascades to every row, every R2 object, and queues backup purge.

EU/UK/California residents can request data access or deletion by emailing privacy@gobrief.co. We respond within 30 days (GDPR) or 45 (CCPA).

Every response ships CSP, HSTS, Referrer-Policy, Permissions-Policy, X-Content-Type-Options, X-Frame-Options. Rate-limited per-IP and per-API-key at the edge.

Live health checks at /api/health. Daily D1 backups to R2 at 07:00 UTC. Incidents land on /support with status updates.

• We don't sell your data. Not to advertisers, not to model trainers.
• We don't train AI models on your content.
• We don't share aggregate behavior with third-party tools beyond the integrations you explicitly connect.
• We don't retain deleted files in a shadow archive. Files are irreversibly deleted from active storage and are purged from backups within the documented retention window (no residual copies kept for internal analytics, ML training, or resale).

Today: GDPR + UK GDPR + CCPA/CPRA + CAN-SPAM compliant posture. ESIGN + UETA compliant for native contracts. EU Standard Contractual Clauses (Module Two) incorporated into our DPA for international transfers.

In flight: SOC 2 Type I audit, scoping complete, Type I report targeted for Q3 2026, Type II for 2027. We will update this page with certification status (including certifying firm and audit period) when reports become available. A HIPAA BAA is available on the Enterprise plan after scoping.

Breach notification. In the event of a personal-data breach affecting a customer workspace, we notify the affected workspace owner without undue delay and, where feasible, within 72 hours of confirmation, in line with GDPR Art. 33 and our DPA.

On request: countersigned DPA, Subprocessor list, security questionnaire response, Certificate of Insurance. Email security@gobrief.co.