How we safeguard application storage credentials, process token authentication, and serve private files safely.
Every file uploaded to Elept is marked private by default in your database settings and storage bucket configuration. Private files are stored with unique, randomized object keys and cannot be browsed or accessed anonymously on the public web.
Private files are served through temporary signed links. These URLs include an expiration timestamp and a cryptographic HMAC-SHA256 signature calculated with your workspace signing secret. Once the expiry time passes, the link becomes invalid immediately, protecting files from unauthorized URL sharing.
API keys are only shown once to the client admin upon creation. In the database, keys are securely hashed using sha256. If a key is compromised, administrators can revoke it instantly in the dashboard, cutting off all corresponding API endpoint requests immediately.
Every file access (download, view, or api stream) is logged. Elept logs the requesting API key, account ID, timestamp, ip address, user-agent, referer, bytes served, and HTTP status code. View access patterns and detect scraping or traffic spikes in real-time.
All file uploads and dashboard traffic are protected by TLS/SSL encryption in transit. For cloud storage providers (Cloudflare R2 and Backblaze B2), data is encrypted at rest using server-side AES-256 keys managed by the provider infrastructure.
Our custom enterprise plans support dedicated storage bucket configuration, local server firewalls, and custom legal clauses. Contact our team to learn more.