Data Processing, Security & Privacy

What we collect and process

We process a limited set of information needed to operate the service efficiently and securely. This includes:

• Account information: email, name, organization, user ID and account settings.
• Documents and attachments you upload, together with metadata such as file name, size, MIME type, upload timestamps, and optionally user-provided tags and descriptions.
• Sharing artifacts: share links, one-time codes, permissions (view/download/edit), expiration times, and revocation records.
• Access and activity logs (for security, auditing, and troubleshooting).
• Optional audit metadata: IP addresses, user agent strings, device identifiers, and location hints to help detect abuse and present accurate audit trails.

How documents are processed

Uploads go through a multi-stage processing pipeline designed for reliability and security:

• Client upload: files are uploaded from your browser or client over TLS to our ingestion layer. We provide resumable uploads for large files to improve robustness.
• Delivery: files are served through secure endpoints and, where applicable, through a global CDN to provide low-latency access while respecting sharing rules and expirations.

Encryption in transit and at rest

We use strong cryptographic controls across the service to protect data:

• In transit: All communications use TLS 1.2+ with SSL certificates on all domains and subdomains. Strong cipher suites protect data moving between clients and our systems.
• At rest: Documents are encrypted using AES-256 server-side encryption with robust encryption keys managed by our platform.
• Backups: All onsite and offsite backups are fully encrypted to maintain security even in disaster recovery scenarios.
• Key management: For server-side encryption we use industry best practices for key lifecycle and rotation.

Sharing controls and granular permissions

ShareMyDocs provides flexible sharing primitives so you control who sees documents and what they can do with them:

• Link types: public links sent via email or sms/text, time-limited, and one-time access links.
• Download controls: revoke access and disable downloads or upload requests.
• Revocation & expiration: revoke a share instantly or set automatic expirations to reduce long-lived access risk.

Access logging, auditability & monitoring

Visibility and accountability are core to secure collaboration. Our platform records detailed, secure logs with hashed references for actions like uploads, downloads, share creation, permission changes, and revocations.

• Comprehensive audit trails for administrators and compliance teams.
• Secure, searchable logs with configurable retention to balance visibility and privacy.
• Alerting & monitoring: suspicious patterns (e.g., mass downloads or repeated failed access attempts) can trigger automated alerts for security teams.

Retention, deletion & data lifecycle

We give customers clear control over how long documents are stored and how they are removed:

• User control: users can delete documents and shares at any time; deletion workflows remove the file from active storage and begin any configured retention/archival process.
• Secure deletion: when data is deleted per policy, we follow secure deletion practices to remove keys and make content inaccessible.

Compliance and certifications

ShareMyDocs is hosted on infrastructure that meets the highest security and compliance standards:

• HIPAA Compliant: Healthcare-ready infrastructure designed to safeguard ePHI with access controls, encryption, audit logging, and disaster recovery.
• SOC 2 Type II & SOC 3 Type II: Independently audited for security, availability, and confidentiality based on AICPA Trust Service Principles.
• HITECH Compliant: Enhanced protections for electronic health information.
• Business Associate Agreement (BAA): Available for healthcare organizations and businesses handling protected health information.
• Privacy by design: minimizing collection, providing data portability, and respecting user control over their content.
• Support for GDPR data subject requests and access/export tooling for customers.

Contact privacy@sharemydocs.app for compliance documentation, BAA requests, or audit reports.

Incident response & breach notification

We maintain a formal incident response program that includes detection, containment, eradication, and recovery procedures. In the unlikely event of a security incident, affected customers will be notified promptly with details, recommended mitigations, and follow-up actions.

Privacy-first product design

Our product philosophy centers on giving users control over their data. We minimize unnecessary processing, provide tools for exporting or deleting content, and aim to be transparent about how information is used.

• Data minimization: we only store what is necessary to deliver the service.
• Consent & transparency: account settings and share dialogs clearly show who can access content and under what conditions.

Contact & legal

For legal inquiries, Data Processing Agreements, security questions, or to request compliance documentation, please contact:

privacy@sharemydocs.app

We strive to respond quickly to requests and to support customers in meeting their regulatory and contractual obligations.