Trust & Security · Last reviewed 2026-05-18

How we protect your client files.

BulkShare handles client deliverables for agencies, studios, and freelancers. Security isn't optional — it's foundational. Here's what's in place today.

  • TLS 1.3 + AES-256
  • Isolated storage
  • GDPR-aligned

In transit

TLS 1.3 + HSTS

At rest

AES-256 · Cloudflare R2

Tenancy

Isolated per user

The four things every file gets, automatically.

TLS 1.3 in transit.

All traffic between your browser and BulkShare is encrypted with TLS 1.3. HSTS enforced to prevent downgrade attacks.

AES-256 at rest.

Files on Cloudflare R2 are encrypted with AES-256 server-side — the same standard banks use.

Isolated storage per user.

Each user's files live under a unique namespaced prefix. Access gated by authenticated server actions that verify session ownership.

Cloudflare + Vercel infra.

Vercel serverless for the app, Cloudflare R2 for storage. Both maintain SOC 2 Type II, ISO 27001, and GDPR certifications.

What you control on every shared link.

Password-protected links.

Pro can require a password before any file is accessible. Applied to every file in the delivery.

Configurable link expiry.

Set custom expiry windows so client access auto-revokes after the delivery window. No manual cleanup.

24-hour anonymous expiry.

Anonymous test uploads are purged 24 hours after creation — no lingering exposure of temporary files.

Download visibility.

Track which files were opened and downloaded so account teams can confirm clients received what was sent.

Minimal data, predictable handling.

Minimal data collection.

Only what's needed to operate: email for auth, uploaded files for delivery, basic analytics for link activity. We don't sell data or share with ad networks.

Soft delete + permanent removal.

Deleted files move to trash first for a recovery window. After permanent deletion, files are removed from R2. No retained copies.

Data deletion requests.

Delete your account and all data anytime. For full GDPR deletion requests, contact us — we process promptly.

No third-party file access.

Files are not indexed, scanned for advertising, or used for model training. Content is accessed only when you or your recipients request it.

Configured at the edge, on every response.

HeaderPurpose
Strict-Transport-SecurityForces HTTPS, prevents downgrade
Content-Security-PolicyRestricts which scripts and resources can load
X-Content-Type-OptionsPrevents MIME-type sniffing
X-Frame-OptionsPrevents clickjacking via iframes
Referrer-PolicyControls referrer information sent to external sites

Honest about what's done and what's coming.

In place
  • TLS 1.3 + HSTS
  • AES-256 at rest
  • GDPR handling
  • Automatic expiry
In progress
  • DPA agreement
  • Subprocessor docs
  • Incident playbook
Planned
  • SOC 2 Type II
  • Penetration audit
  • Bug bounty

Common questions

AES-256 at rest on Cloudflare R2 and TLS 1.3 in transit. Encryption is automatic and always on — nothing to configure.

On Cloudflare R2 object storage — globally distributed with built-in redundancy. Each user's files are isolated under their own storage prefix.

We follow GDPR principles: minimal data, processed only for service delivery, deletion requests supported. Cloudflare and Vercel maintain their own GDPR certifications.

Yes. Pro can add a password to any shared link. The password gates access at the link layer — even if the URL leaks, the files stay sealed.

Anonymous links from the free test flow expire automatically after 24 hours. Both the link and the file are permanently deleted at expiry.

Send your next handoff with confidence.

Encryption is on by default. Password gates, expiry, and audit logs come in on Pro. No box to tick — just send.

Start free — no cardSecure delivery
  • AES-256 + TLS 1.3
  • From $19/mo Pro
  • Cancel anytime