Clav
Technical Documentation

File Upload Architecture

Learn how we protect your files with enterprise-grade security and optional zero-knowledge encryption

Overview

Two security levels for your files

Our platform offers a robust file storage architecture with two security levels, designed to meet different compliance requirements.

Standard

Standard Mode

Secure storage with AWS-managed encryption

Optional

Zero Knowledge Mode

End-to-end encryption where not even system administrators can access your file contents

Encryption Mode Recommendation

We recommend using Standard Mode as it enables AI-powered validation to automatically verify if your compliance files are filled out correctly. However, if you need to store highly confidential information, you can enable Zero Knowledge Mode, which provides maximum privacy but disables automatic AI validation.

Infrastructure

Storage Infrastructure (AWS S3)

All files are stored in Amazon S3 buckets configured with the strictest security policies.

Public Access Block

Public access completely blocked: No file can be accessed publicly
Public ACLs blocked at all levels
Public policies prevented
Guarantee that buckets will never be exposed publicly

Mandatory Encryption

Mandatory encryption at rest: All files are automatically encrypted when stored
AWS KMS (Key Management Service) for additional key control
Deny policy: Uploads without encryption are automatically rejected
Key validation: Only authorized KMS keys are accepted

Secure Transport

HTTPS mandatory: All communications with S3 must use encryption in transit
Deny policy: Any attempt to access via unencrypted HTTP is automatically blocked

File Versioning

Versioning enabled: All versions of a file are kept
Protection against accidental deletion: Previous versions can be recovered
Lifecycle management: Old versions are automatically managed to optimize costs

Object Lock (Optional)

Configurable retention: Files can be locked against modification or deletion for specific periods
Regulatory compliance: Meets compliance requirements that demand document immutability
Retention modes: Governance or Compliance, depending on requirements

Granular Access Control

Authentication via IAM Roles: Only authorized applications can access files
Principle of least privilege: Each component has only the necessary permissions
Access auditing: Logs of all accesses can be enabled for compliance

Data Classification

All buckets are classified and tagged with: DataClassification: Sensitive, Compliance: Required, Purpose: File storage bucket for organization documents - Compliance Retention

Security

Zero Knowledge Architecture

Zero Knowledge architecture is an end-to-end encryption system where your files are encrypted in your browser before being sent to the server.

What is Zero Knowledge?

Your files are encrypted in your browser before being sent to the server
Only you and authorized members of your organization can decrypt the files
Not even system administrators have access to your file contents
Not even company employees can view your documents
Not even attackers who gain access to the database can read the files

Three-layer cryptographic key system

1

User Key Pair

A cryptographic key pair is generated in your browser
Your private key is encrypted with your password (never leaves your browser in plain text)
Your public key is sent to the server
The encrypted private key is stored securely

Protection: Uses Argon2id algorithm (resistant to brute force attacks) to derive a key from your password, which then encrypts your private key with AES-256-GCM.

2

Organization Master Key (TMK)

A master key is generated in the administrator's browser
For each member, the TMK is wrapped with an ephemeral ECDH P-256 exchange against the member's public key
The shared secret is run through HKDF-SHA256 (with the suite ID and recipient/ephemeral public keys as info) to derive the wrap key
The AES-GCM call binds the org, TMK generation, and recipient fingerprint into AAD — wraps cannot be swapped between recipients or generations
Each member can decapsulate only their own copy with their private key

Protection: ECDH P-256 + HKDF-SHA256 follows the RFC 9180 (HPKE) construction. AAD binding ensures a wrap intended for one member at one generation cannot be reused elsewhere.

3

File Key (DEK)

A unique 256-bit DEK is generated for that specific file
The file body is encrypted with the DEK (AES-256-GCM)
The DEK is wrapped with the TMK using AES-256-GCM, with AAD that binds org, file version, TMK generation, and a SHA-256 of the encrypted body
Swapping the S3 object or replaying a wrap from another file fails AEAD verification
Only the encrypted DEK is stored on the server

Protection: Body-hash binding ties the wrapped DEK to the exact ciphertext on disk — defeats both DEK-swap and server-driven body substitution.

Upload Flow

1You select a file in your browser
2You enter your password (if not already logged in)
3Your password decrypts your private key (locally)
4Your private key decapsulates the organization's TMK (locally)
5A new key is generated for the file (locally)
6The file is encrypted with that key (locally)
7The file key is encrypted with the TMK (locally)
8The encrypted file is sent to S3
9The file key (encrypted) is saved in the database
10Your original file NEVER leaves your browser in plain text
Security

Data Security & Auditing

What Is Stored on the Server

File in S3Encrypted (AES-256-GCM)
No (needs file key)
File keyEncrypted with TMK
No (needs TMK)
Organization TMKEncrypted with each user's public key
No (needs user's private key)
User's private keyEncrypted with password
No (needs user's password)
User's passwordNEVER stored
Doesn't exist on the server
User's public keyPlain text
Yes, but alone it doesn't decrypt anything

Key Operations Log

TMK creationWho created, when, for which organizationInitialization audit
User encapsulationWho granted access, to whom, whenAccess control
Key rotationWho rotated, old version, new versionSecurity management
Access revocationWho revoked, from whom, reasonCompliance

Password and User Key Protection

Your Password is NEVER Sent to the Server

1You type your password in the browser
2The password is processed locally (Argon2id)
3A key is derived from your password (in your browser)
4That key decrypts your private key (in your browser)
5The original password is DISCARDED from memory
6NOTHING related to the password is sent to the server

Key Derivation Algorithm (Argon2id)

Password Hashing Competition winner (2015)
Resistant to GPU and ASIC attacks: Requires a lot of RAM
Brute force protection: Thousands of attempts per second become impractical
Configurable parameters: Security can be increased over time

Configuration used:

Memory Cost: 65,536 KB (64 MB)Time Cost: 3 iterationsParallelization: 1Salt: 16 random bytes (unique for each user)

Security Chain

If any link in this chain is missing, the file remains inaccessible. Not even system administrators can break this chain.

Comparison

Encryption Modes

Standard
SecurityHigh (AWS encryption)
PerformanceFast
Recommended UseInternal documents, standard compliance
Zero Knowledge
SecurityMaximum (E2EE)
PerformanceNormal
Recommended UseSensitive data, strict compliance, total privacy

Optional Encryption

Zero Knowledge encryption is optional and can be enabled per organization. Only owners or administrators can enable it.

Access Recovery

We cannot reset your password without you losing access to encrypted files

Available options:

1
Recovery via password hint:If configured
2
New key pair:Administrator can re-encapsulate TMK for new key
You keep access to files
Lose access to your old private key
Process requires administrator approval
Technical

Algorithms and Standards Used

Symmetric Encryption (AEAD)

AES-256-GCM

Key size: 256 bitsMode: Galois/Counter Mode (authenticated)Nonce: 96 random bits per wrap (CSPRNG)AAD on every wrap: domain-separates wrap purpose and binds to context (org, generation, recipient, file body hash)Standard: NIST FIPS 197

Key Agreement + KDF

ECDH P-256 + HKDF-SHA256

Curve: secp256r1 / prime256v1 (NIST FIPS 186-4)ECDH X-coordinate is length-validated (32 bytes) and passed through HKDF-SHA256 before being used as an AES keyHKDF construction follows RFC 9180 (HPKE): empty salt, info carries suite ID + recipient/ephemeral public keys

Password Key Derivation

Argon2id

Type: Hybrid Argon2 (resistant to side-channel and GPU)Password Hashing Competition winner (RFC 9106)Memory cost: 64 MB · Time cost: 3 iterations · 16-byte random salt per userArgon2 parameters are stored per-record so future increases ship without breaking old data

Envelope Format

Versioned envelopes

Every wrapper carries an explicit version field; readers reject unknown versionsEach blob row stores a max-version-seen column to block downgrade-substitution attacksFile-key wrap AAD includes a SHA-256 of the encrypted body

Body Integrity Binding

Per-file body hash

Server records SHA-256 of the encrypted S3 object body at uploadThe wrapped file key is AAD-bound to that body hash, so swapping the S3 object breaks AEAD verificationTwo-step upload (reserve / complete) validates the body hash before marking the version final

Hash Function

SHA-256

Public-key fingerprints (first 8 bytes hex)Encrypted-body integrity hashes used in AADStandard: NIST FIPS 180-4
References

Standards and Specifications

Every primitive on this page maps to a published standard. The links below go to the source documents — useful for security review or independent verification.

Symmetric & Authenticated Encryption

Key Agreement & Derivation

Hashes & Integrity

Browser Cryptography APIs

Threat-Model Background

Zero-Knowledge & End-to-End Encrypted Storage

Compliance

Compliance and Certifications

Regulations

LGPD (General Data Protection Law - Brazil)
Strong encryption of sensitive personal data
Access minimization (zero knowledge)
Complete audit records
GDPR (General Data Protection Regulation - Europe)
Right to be forgotten: Permanent deletion via soft delete
Data minimization: Server does not store plain text data
Privacy by design: Encryption from the start

Security Standards

NIST Cybersecurity Framework
Encryption at rest and in transit
Robust Identity and Access Management
Continuous monitoring via logs
OWASP Top 10
Protection against broken authentication
Sensitive data exposure prevented
Cryptographic failures mitigated
Benefits

Architecture Benefits

For Your Organization

Maximum Security

Files protected even in case of total server breach
Compliance with the strictest regulations
Protection against insider threats (platform employees)

Facilitated Compliance

Complete audit logs
Automatic file versioning
Trail of who accessed what and when

Total Control

You decide who has access
You manage the keys (encapsulation)
You can revoke access at any time

For Your Users

Total Privacy

Only authorized people can see the files
Not even the platform provider company has access
Protection against data breaches

Transparency

You know exactly how your data is protected
Industry-standard algorithms (auditable)
Code based on public specifications

Ease of Use

Encryption happens automatically
No need to manually manage keys
Interface same as services without encryption
FAQ

Frequently Asked Questions

The impact is minimal. Encryption happens in your browser using hardware acceleration (AES-NI on modern processors). For files up to 100 MB, the difference is imperceptible. For larger files, there may be a few extra seconds.

Since your password is the only way to decrypt your private key, you would lose access to encrypted files. Therefore, we recommend:

• Use a trusted password manager

• Set up a strong password hint

• An administrator can re-encapsulate the TMK for a new key of yours (you won't lose access to organization files)

No. This is the essence of Zero Knowledge - not even we can access your files without your password. An organization administrator can grant access again through TMK re-encapsulation, but your old private key will be inaccessible.

We don't recommend it, but it's technically possible:

1. New uploads will not be encrypted

2. Already encrypted files remain encrypted

3. You will need to decide if you want to decrypt and re-upload old files

Visual indicators:

• "Encrypted" badge appears on files

• Each envelope carries an explicit format version field; readers reject unknown versions

• Audit logs record key operations and rotations

• You can inspect raw data in S3 (it will be unreadable)

Yes. Owners can run a TMK rotation that generates a fresh master key and re-wraps every member, integration, and file key against it.

Rotation is done in the browser by an admin who already holds the current TMK — the server never sees plaintext key material.

The previous generation is kept in a soft-delete recovery window (7 days) so an aborted or mistaken rotation can be rolled back. After the window the old generation is purged.

Each rotation is locked to a per-rotation token so stale clients can't write into a rotation that has been replaced.

Encrypted files can only be accessed by organization members who have the encapsulated TMK. To share externally:

• Add the person as an organization member (will receive TMK)

• Download and re-upload the decrypted file through another means

• Use temporary sharing links (future feature)

Partially. Content is fully protected, but some metadata remains visible:

• File name

• File size

• Upload date

• MIME type

• Who uploaded it

This is necessary for basic functionality (search, sorting, etc.). If you need full metadata protection, contact us for custom solutions.

Encryption does not affect listing or search performance, as these operations use only metadata (not encrypted). Decryption only happens when you download/view the file.

Contact and Support

For questions about encryption activation, key problems, compliance and auditing, or customizations, please contact our team.

Email Support

Contact your administrator or our support team

Documentation

Check our technical documentation for more details

Document updated on: January 2026Version: 1.0Classification: Public Documentation