Foldr.Space

Security at Foldr.Space

Your files deserve the best protection. Here's how we keep your data safe with industry-standard security measures.

Encryption in Transit

All data is encrypted with TLS 1.3 during transfer between your device and our servers.

Encryption at Rest

Files are stored with AES-256 encryption on enterprise-grade infrastructure.

Client-Side Encryption

Pro users can enable end-to-end encryption where only you hold the decryption key.

Transport Layer Security (TLS)

Every connection to Foldr.Space is protected with industry-standard encryption.

TLS 1.3 encryption for all connections
HTTPS enforced on all pages
HTTP Strict Transport Security (HSTS)
Perfect Forward Secrecy
Modern cipher suites only
Certificate transparency logging

Storage Security

Your files are stored on enterprise-grade infrastructure with multiple layers of protection.

Infrastructure

  • AWS S3-backed storage via Supabase
  • AES-256 server-side encryption at rest
  • Geographic redundancy for durability
  • SOC 2 Type II certified infrastructure

Access Controls

  • Row Level Security (RLS) on all database tables
  • Signed URLs with expiration for downloads
  • Unique cryptographic share tokens
  • Service role isolation

Client-Side Encryption

Pro Feature

For maximum privacy, Pro users can enable end-to-end encryption where files are encrypted in your browser before upload.

Zero-Knowledge Encryption

When you enable client-side encryption, your file is encrypted using AES-256-GCM in your browser before it ever leaves your device. The encryption key is derived from a password you choose and is never sent to our servers. This means even we cannot read your encrypted files.

How It Works

  1. You set an encryption password
  2. A key is derived using PBKDF2 (100,000 iterations)
  3. File is encrypted with AES-256-GCM in your browser
  4. Only the encrypted file is uploaded
  5. To download, enter your password to decrypt locally

Important Notes

  • We cannot recover files if you forget your password
  • Password hint can be stored (not the password)
  • Uses Web Crypto API (browser-native)

Password Protection

Add an extra layer of access control to your shared files.

Bcrypt password hashing (10 salt rounds)
Passwords never stored in plaintext
Rate-limited password attempts
Secure password verification
No password hints stored server-side
Available for Pro users

Secure Token Generation

All share links use cryptographically secure random tokens.

crypto.randomBytes()

Node.js cryptographic random number generator

16-32 characters

URL-safe alphanumeric tokens

~10^57 combinations

Practically impossible to guess

File Validation & Security Scanning

Every uploaded file goes through our security validation pipeline.

What We Check

  • Magic byte analysis to detect true file type
  • Extension mismatch detection (anti-spoofing)
  • Cryptocurrency miner detection
  • Malicious JavaScript pattern detection

What We Block

  • Files with mismatched extensions (e.g., .exe renamed to .jpg)
  • Known crypto mining scripts
  • Obfuscated malicious code patterns
  • Server-side code in static hosting

Mobile App Security

Our mobile app uses platform-native secure storage.

iOS
  • • Keychain Services encryption
  • • first_unlock_this_device accessibility
  • • Hardware-backed key storage
Android
  • • EncryptedSharedPreferences
  • • Android Keystore System
  • • AES-256 encryption

Abuse Prevention

Multiple layers of protection against abuse and attacks.

Rate Limiting

  • • 10 uploads/hour per IP
  • • 100 downloads/hour per IP
  • • API call limits

IP Protection

  • • Automatic IP blocking
  • • Abuse pattern detection
  • • Geographic redundancy

Content Safety

  • • DMCA compliance
  • • Abuse reporting
  • • Law enforcement cooperation

Transparency

We believe in being honest about what we can and cannot guarantee.

What we guarantee

All data in transit is encrypted. All data at rest is encrypted using AES-256. Your passwords are hashed with bcrypt. Share tokens are cryptographically secure.

Without client-side encryption

Without client-side encryption enabled, Foldr.Space and our infrastructure providers (Supabase/AWS) technically have the ability to access stored files. This is similar to most cloud storage providers. For truly sensitive data, we recommend enabling client-side encryption (Pro feature) or encrypting files locally before upload.

With client-side encryption (Pro)

When client-side encryption is enabled, your files are encrypted in your browser before upload. The encryption key is derived from your password and never leaves your device. We cannot decrypt these files - true zero-knowledge encryption.

Questions About Security?

We're happy to answer any questions about how we protect your data.

Privacy PolicyTerms of ServiceContact Security Team