Trust & Security

How we protect your client files

Last reviewed 2026-05-18

BulkShare handles client deliverables for agencies, studios, and freelancers. Security isn't optional — it's foundational. Files travel over TLS 1.3, rest under AES-256 on isolated Cloudflare R2 storage, and expire on your terms. Here's what's in place today, in plain language.

What every file gets, automatically

TLS 1.3 in transit
All traffic between your browser and BulkShare is encrypted with TLS 1.3. HSTS enforced to prevent downgrade attacks.
AES-256 at rest
Files on Cloudflare R2 are encrypted with AES-256 server-side — the same standard banks use.
Isolated storage per user
Each user's files live under a unique namespaced prefix. Access gated by authenticated server actions that verify session ownership.
Cloudflare + Vercel infrastructure
Vercel serverless for the app, Cloudflare R2 for storage. Both maintain SOC 2 Type II, ISO 27001, and GDPR certifications.

What you control on every shared link

Password-protected links
Pro can require a password before any file is accessible. Applied to every file in the delivery.
Configurable link expiry
Set custom expiry windows so client access auto-revokes after the delivery window. No manual cleanup.
24-hour anonymous expiry
Anonymous test uploads are purged 24 hours after creation — no lingering exposure of temporary files.
Download visibility
Track which files were opened and downloaded so account teams can confirm clients received what was sent.

Minimal data, predictable handling

Minimal data collection
Only what's needed to operate: email for auth, uploaded files for delivery, basic analytics for link activity. We don't sell data or share with ad networks.
Soft delete + permanent removal
Deleted files move to trash first for a recovery window. After permanent deletion, files are removed from R2. No retained copies.
Data deletion requests
Delete your account and all data anytime. For full GDPR deletion requests, contact us — we process promptly.
No third-party file access
Files are not indexed, scanned for advertising, or used for model training. Content is accessed only when you or your recipients request it.

HTTP security headers

Configured at the edge, on every response.

HeaderPurpose
Strict-Transport-SecurityForces HTTPS, prevents downgrade
Content-Security-PolicyRestricts which scripts and resources can load
X-Content-Type-OptionsPrevents MIME-type sniffing
X-Frame-OptionsPrevents clickjacking via iframes
Referrer-PolicyControls referrer information sent to external sites

Compliance status

Honest about what's done and what's coming.

In place

  • TLS 1.3 + HSTS
  • AES-256 at rest
  • GDPR handling
  • Automatic expiry

In progress

  • DPA agreement
  • Subprocessor docs
  • Incident playbook

Planned

  • SOC 2 Type II
  • Penetration audit
  • Bug bounty

Common questions

AES-256 at rest on Cloudflare R2 and TLS 1.3 in transit. Encryption is automatic and always on — nothing to configure.

On Cloudflare R2 object storage — globally distributed with built-in redundancy. Each user's files are isolated under their own storage prefix.

We follow GDPR principles: minimal data, processed only for service delivery, deletion requests supported. Cloudflare and Vercel maintain their own GDPR certifications.

Yes. Pro can add a password to any shared link. The password gates access at the link layer — even if the URL leaks, the files stay sealed.

Anonymous links from the free test flow expire automatically after 24 hours. Both the link and the file are permanently deleted at expiry.