Technical Documentation

File Upload Architecture

Learn how we protect your files with enterprise-grade security and optional zero-knowledge encryption

Overview

Two security levels for your files

Our platform offers a robust file storage architecture with two security levels, designed to meet different compliance requirements.

Standard

Standard Mode

Secure storage with AWS-managed encryption

Optional

Zero Knowledge Mode

End-to-end encryption where not even system administrators can access your file contents

Encryption Mode Recommendation

We recommend using Standard Mode as it enables AI-powered validation to automatically verify if your compliance files are filled out correctly. However, if you need to store highly confidential information, you can enable Zero Knowledge Mode, which provides maximum privacy but disables automatic AI validation.

Infrastructure

Storage Infrastructure (AWS S3)

All files are stored in Amazon S3 buckets configured with the strictest security policies.

Public Access Block

Public access completely blocked: No file can be accessed publicly

Public ACLs blocked at all levels

Public policies prevented

Guarantee that buckets will never be exposed publicly

Mandatory Encryption

Mandatory encryption at rest: All files are automatically encrypted when stored

AWS KMS (Key Management Service) for additional key control

Deny policy: Uploads without encryption are automatically rejected

Key validation: Only authorized KMS keys are accepted

Secure Transport

HTTPS mandatory: All communications with S3 must use encryption in transit

Deny policy: Any attempt to access via unencrypted HTTP is automatically blocked

File Versioning

Versioning enabled: All versions of a file are kept

Protection against accidental deletion: Previous versions can be recovered

Lifecycle management: Old versions are automatically managed to optimize costs

Object Lock (Optional)

Configurable retention: Files can be locked against modification or deletion for specific periods

Regulatory compliance: Meets compliance requirements that demand document immutability

Retention modes: Governance or Compliance, depending on requirements

Granular Access Control

Authentication via IAM Roles: Only authorized applications can access files

Principle of least privilege: Each component has only the necessary permissions

Access auditing: Logs of all accesses can be enabled for compliance

Data Classification

All buckets are classified and tagged with: DataClassification: Sensitive, Compliance: Required, Purpose: File storage bucket for organization documents - Compliance Retention

Security

Zero Knowledge Architecture

Zero Knowledge architecture is an end-to-end encryption system where your files are encrypted in your browser before being sent to the server.

What is Zero Knowledge?

Your files are encrypted in your browser before being sent to the server

Only you and authorized members of your organization can decrypt the files

Not even system administrators have access to your file contents

Not even company employees can view your documents

Not even attackers who gain access to the database can read the files

Three-layer cryptographic key system

User Key Pair

→A cryptographic key pair is generated in your browser

→Your private key is encrypted with your password (never leaves your browser in plain text)

→Your public key is sent to the server

→The encrypted private key is stored securely

Protection: Uses Argon2id algorithm (resistant to brute force attacks) to derive a key from your password, which then encrypts your private key with AES-256-GCM.

Organization Master Key (TMK)

→A master key is generated in the administrator's browser

→This key is encapsulated for each organization member using their public keys

→Each member receives their own encrypted copy of the TMK

→Only those who have the private key can decapsulate the TMK

Protection: Uses ECDH (Elliptic Curve Diffie-Hellman) algorithm to create a unique shared secret between each user and the organization.

File Key (DEK)

→A unique key is generated for that specific file

→The file is encrypted with that key (AES-256-GCM)

→The file key is encrypted with the TMK

→Only the encrypted version of the key is stored on the server

Upload Flow

1You select a file in your browser

2You enter your password (if not already logged in)

3Your password decrypts your private key (locally)

4Your private key decapsulates the organization's TMK (locally)

5A new key is generated for the file (locally)

6The file is encrypted with that key (locally)

7The file key is encrypted with the TMK (locally)

8The encrypted file is sent to S3

9The file key (encrypted) is saved in the database

10Your original file NEVER leaves your browser in plain text

Security

Data Security & Auditing

What Is Stored on the Server

File in S3Encrypted (AES-256-GCM)

No (needs file key)

File keyEncrypted with TMK

No (needs TMK)

Organization TMKEncrypted with each user's public key

No (needs user's private key)

User's private keyEncrypted with password

No (needs user's password)

User's passwordNEVER stored

Doesn't exist on the server

User's public keyPlain text

Yes, but alone it doesn't decrypt anything

Key Operations Log

TMK creationWho created, when, for which organizationInitialization audit

User encapsulationWho granted access, to whom, whenAccess control

Key rotationWho rotated, old version, new versionSecurity management

Access revocationWho revoked, from whom, reasonCompliance

Password and User Key Protection

Your Password is NEVER Sent to the Server

1You type your password in the browser

2The password is processed locally (Argon2id)

3A key is derived from your password (in your browser)

4That key decrypts your private key (in your browser)

5The original password is DISCARDED from memory

6NOTHING related to the password is sent to the server

Key Derivation Algorithm (Argon2id)

Password Hashing Competition winner (2015)

Resistant to GPU and ASIC attacks: Requires a lot of RAM

Brute force protection: Thousands of attempts per second become impractical

Configurable parameters: Security can be increased over time

Configuration used:

Memory Cost: 65,536 KB (64 MB)Time Cost: 3 iterationsParallelization: 1Salt: 16 random bytes (unique for each user)

Security Chain

If any link in this chain is missing, the file remains inaccessible. Not even system administrators can break this chain.

Comparison

Encryption Modes

Standard

SecurityHigh (AWS encryption)

PerformanceFast

Recommended UseInternal documents, standard compliance

Zero Knowledge

SecurityMaximum (E2EE)

PerformanceNormal

Recommended UseSensitive data, strict compliance, total privacy

Optional Encryption

Zero Knowledge encryption is optional and can be enabled per organization. Only owners or administrators can enable it.

Access Recovery

We cannot reset your password without you losing access to encrypted files

Available options:

Recovery via password hint:If configured

New key pair:Administrator can re-encapsulate TMK for new key

You keep access to files

Lose access to your old private key

Process requires administrator approval

Technical

Algorithms and Standards Used

Symmetric Encryption

AES-256-GCM

Key size: 256 bitsMode: Galois/Counter Mode (authenticated)Nonce: 96 random bitsStandard: NIST FIPS 197

Asymmetric Encryption

ECDH with P-256 curve

Also known as: secp256r1, prime256v1Key size: 256 bits (equivalent to RSA 3072)Standard: NIST FIPS 186-4

Key Derivation

Argon2id

Type: Hybrid Argon2 (resistant to side-channel and GPU)Password Hashing Competition winnerStandard: RFC 9106

Hash Functions

SHA-256

For public key fingerprintsStandard: NIST FIPS 180-4

Compliance

Compliance and Certifications

Regulations

LGPD (General Data Protection Law - Brazil)

Strong encryption of sensitive personal data

Access minimization (zero knowledge)

Complete audit records

GDPR (General Data Protection Regulation - Europe)

Right to be forgotten: Permanent deletion via soft delete

Data minimization: Server does not store plain text data

Privacy by design: Encryption from the start

Security Standards

NIST Cybersecurity Framework

Encryption at rest and in transit

Robust Identity and Access Management

Continuous monitoring via logs

OWASP Top 10

Protection against broken authentication

Sensitive data exposure prevented

Cryptographic failures mitigated

Benefits

Architecture Benefits

For Your Organization

Maximum Security

Files protected even in case of total server breach

Compliance with the strictest regulations

Protection against insider threats (platform employees)

Facilitated Compliance

Complete audit logs

Automatic file versioning

Trail of who accessed what and when

Total Control

You decide who has access

You manage the keys (encapsulation)

You can revoke access at any time

For Your Users

Total Privacy

Only authorized people can see the files

Not even the platform provider company has access

Protection against data breaches

Transparency

You know exactly how your data is protected

Industry-standard algorithms (auditable)

Code based on public specifications

Ease of Use

Encryption happens automatically

No need to manually manage keys

Interface same as services without encryption

FAQ

Frequently Asked Questions

The impact is minimal. Encryption happens in your browser using hardware acceleration (AES-NI on modern processors). For files up to 100 MB, the difference is imperceptible. For larger files, there may be a few extra seconds.

Since your password is the only way to decrypt your private key, you would lose access to encrypted files. Therefore, we recommend:

• Use a trusted password manager

• Set up a strong password hint

• An administrator can re-encapsulate the TMK for a new key of yours (you won't lose access to organization files)

No. This is the essence of Zero Knowledge - not even we can access your files without your password. An organization administrator can grant access again through TMK re-encapsulation, but your old private key will be inaccessible.

We don't recommend it, but it's technically possible:

1. New uploads will not be encrypted

2. Already encrypted files remain encrypted

3. You will need to decide if you want to decrypt and re-upload old files

Visual indicators:

• "Encrypted" badge appears on files

• Metadata shows algorithm and version

• Audit logs record key operations

• You can inspect raw data in S3 (it will be unreadable)

Encrypted files can only be accessed by organization members who have the encapsulated TMK. To share externally:

• Add the person as an organization member (will receive TMK)

• Download and re-upload the decrypted file through another means

• Use temporary sharing links (future feature)

Partially. Content is fully protected, but some metadata remains visible:

• File name

• File size

• Upload date

• MIME type

• Who uploaded it

This is necessary for basic functionality (search, sorting, etc.). If you need full metadata protection, contact us for custom solutions.

Encryption does not affect listing or search performance, as these operations use only metadata (not encrypted). Decryption only happens when you download/view the file.

Contact and Support

For questions about encryption activation, key problems, compliance and auditing, or customizations, please contact our team.

Email Support

Contact your administrator or our support team

Documentation

Check our technical documentation for more details

Document updated on: January 2026Version: 1.0Classification: Public Documentation