Security shouldn't be a black box

Our security philosophy

We believe three things:

1. Security is a baseline, not a feature. It shouldn't cost extra. It shouldn't be locked behind enterprise tiers. Every Droplana account — including the free tier — gets the same encryption, isolation, and access protections.

2. Your data is your data. We don't sell it. We don't train AI on it. We don't share it with third parties beyond the strict minimum needed to operate the service.

3. You should be able to leave. If you ever stop using Droplana, you should be able to take everything with you cleanly. We do not lock you in.

Everything below is the operational expression of those three principles.

Data encryption

In transit

All connections to Droplana use HTTPS with TLS 1.2 or 1.3, managed by Caddy with automatic certificate provisioning and renewal. HTTP requests are automatically redirected to HTTPS, and we set Strict-Transport-Security headers to enforce HTTPS for one year, including subdomains.

At rest

Files are stored on S3-compatible object storage and encrypted at rest using AES-256 server-side encryption. The PostgreSQL database (hosted on Hetzner in Germany) is also encrypted at rest. Encryption keys are managed by our infrastructure provider.

What this means in practice

Even if a malicious party somehow gained physical access to the storage infrastructure, the data they'd see would be encrypted and unreadable without the keys.

Per-client isolation

This is one of Droplana's foundational design decisions, not a feature.

Every client portal you create is isolated by design. Each client gets their own access token (one per client) and their own portal sessions. Clients cannot see each other. They cannot see other clients' files, messages, or even know that other clients exist. Your dashboard is the only place where multiple clients are visible — and only to you.

Behind the scenes, every database query that touches client data is scoped to your business ID, which we read from your authenticated session — never from request URLs or bodies. There is no shared workspace, no inherited permissions to misconfigure.

For lawyers, accountants, and consultants who handle multiple clients with conflicting interests, this is the most important property of the system.

Access controls

Your account (the business side)

• Authentication: magic-link only. We do not use passwords. Each time you log in, we send a one-time link to your email address. That link is valid for 15 minutes and can only be used once.
• Why no passwords? Passwords are the most common cause of account compromise. By not having them, we eliminate that entire attack surface. Your email account effectively serves as the second factor — protect it with a strong password and 2FA there.
• Magic link tokens are 32 random bytes, never logged in raw form, and stored only as SHA-256 hashes in our database. The link can only be consumed once — using it invalidates it.
• Sessions last 31 days, with sliding renewal on activity. They can be invalidated by logging out.
• CSRF protection uses a double-submit cookie pattern on every state-changing request.

Your clients (the portal side)

• Clients access their portal via a unique, unguessable URL you generate and share with them. The URL contains a 32-byte random token (so guessing it is computationally infeasible).
• On first visit, the token is exchanged for a portal session cookie that lasts 24 hours, and the token is removed from the URL. This protects the token from being leaked through browser history or referrer headers.
• The original token URL itself does not auto-expire — you control it. You can revoke a client's access at any time, which immediately invalidates their token and any active portal sessions.
• Clients do not create accounts or set passwords. They open a link.
• Clients can share their portal link with their own team if needed. There's no per-person account on the client side — the link is the access mechanism.

What we don't currently support

• Two-factor authentication on Droplana accounts beyond email-based magic links. Your email's 2FA effectively serves the same purpose for our auth flow.
• Single Sign-On (SSO). Not currently available.
• Multiple team members per Droplana account. Each Droplana account is currently single-user. Multi-user / team support is on the roadmap.

Rate limiting

We rate-limit sensitive operations to prevent abuse:

• Magic link requests: 3 per email address per 15 minutes
• Portal token exchange: 20 per IP per minute

Hosting and infrastructure

Where your data lives

Droplana is hosted in the European Union. Our application servers, PostgreSQL database, and S3-compatible file storage are all hosted on Hetzner in Germany. Transactional email is sent via Brevo in France.

Why this matters

For European customers, data residency is a real concern under GDPR. Your data does not leave the EU.

For non-EU customers, EU hosting still provides strong privacy protections — generally stronger than the alternatives.

Backups

We rely on managed backups provided by Hetzner, our infrastructure host in Germany. Backups are used for disaster recovery only, are not user-accessible, and expire on the schedule defined by our host. Specific backup configuration details are available on request — please email security@droplana.com if you need detailed information for your own compliance review.

Uptime

We don't make a contractual SLA commitment at this stage. We monitor uptime continuously via a public health check and address issues quickly. As the service matures, we'll publish historical uptime numbers based on real data rather than aspirational targets.

Service monitoring

We log application activity using Serilog with daily log rotation. We expose a public health-check endpoint (/health) for uptime monitoring.

Privacy and your data

What we collect

We collect the minimum data needed to operate the service:

• Account information: your email address, your account slug, account creation timestamp.
• Files and messages: files you upload to client portals, comments between you and clients, and per-file status updates.
• Operational metadata: download events (when a client downloads a file), seen/unseen state of comments, and timestamps.
• Audit logs: login events, token generation, account deletion, rate-limit hits — for security purposes.
• Billing information: processed by our payment provider (Paddle), not stored on our servers. We receive only the metadata we need (subscription status, invoice IDs, etc.).

What we don't do

• We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
• We don't train AI models on your data or your clients' data.
• We don't share your data with third parties for marketing purposes.
• We don't read your files or messages. Support access requires your explicit permission.
• We don't run analytics or tracking scripts. No Google Analytics, no Hotjar, no third-party trackers — our only visibility into how the product is used comes from server logs needed to operate the service.
• We never log raw authentication tokens. Magic-link tokens and portal access tokens are logged only as redacted placeholders.

What third parties touch your data

A short list, kept current:

• Payment processing: Paddle.com Market Limited (Merchant of Record, UK). Paddle handles all card processing, invoicing, VAT and sales tax compliance globally. They store customer billing data; we receive only the subscription/invoice metadata we need.
• Transactional email: Brevo (Sendinblue SAS, France). Used for sending magic links and account-related emails. They process email content in transit.
• Application server, database & file storage: Hetzner Online GmbH (Germany). Hosts our application, PostgreSQL database, and S3-compatible object storage in EU regions.
• Web infrastructure: Caddy reverse proxy with automatic TLS via Let's Encrypt.
• Code hosting: GitHub (US). Source code only — no customer data.

Each provider is selected for its own privacy posture and is bound by appropriate data processing terms.

Your rights (especially under GDPR)

You have the right to:

• Access the data we hold about you — exercised via Account → Export data, which provides a complete JSON export of your business, all clients, all files (with metadata, sizes, statuses), all comments and seen state, all download events, and all invoice records.
• Correct any inaccurate data — most fields are editable directly in the dashboard.
• Delete your account and your data — exercised via Account → Delete account. This performs an irreversible hard delete: all your business data, all client data, all files in object storage, comments, events, sessions, magic links, and subscription/invoice records are removed in a single operation.
• Export your data in a portable format (JSON).
• Object to processing in certain cases.

We respond to GDPR requests within 30 days, as required by the regulation.

Personal data and download events

Per GDPR, file download events linked to a client's portal session count as personal data. We include them in your data export and delete them entirely when you delete an account or a client.

Compliance

GDPR

We are GDPR-compliant in our handling of EU data. Key compliance practices:

• EU data residency (Frankfurt)
• No analytics or tracking scripts
• Data subject rights honored within 30 days
• Hard-delete on account deletion — no soft-delete trash
• Structured JSON export available on demand
• Item events (downloads) treated as personal data in exports and deletions
• Clear list of subprocessors in this document

Our Data Processing Agreement (DPA) is published at /dpa. Customers with formal procurement processes can also request a counter-signed copy at security@droplana.com.

What we don't (yet) have

We're transparent about this:

• We are not currently SOC 2 certified. Common for early-stage SaaS; on the roadmap as we grow.
• We are not currently ISO 27001 certified. Same.
• We are not HIPAA-certified. Droplana is not appropriate for protected health information (PHI) — please use a HIPAA-compliant tool for that work.
• We are not specifically certified for FINRA or other US financial regulatory frameworks.

For regulated industries

If your work requires specific certifications (HIPAA in US healthcare, FINRA in US finance, certain bar association requirements for legal record-keeping, etc.), please confirm Droplana fits your specific obligations before signing up. Contact us and we'll walk through what we do (and don't) do — honestly, before you commit.

What you can do to protect your account

Security is a shared responsibility. Here's how to maximize the security of your Droplana account:

• Protect your email account. Because we use magic-link authentication, your email account is your authentication. Make sure it has a strong password and 2FA enabled.
• Don't share your email login credentials. If a colleague needs to manage Droplana on your behalf, that's a workflow Droplana doesn't support directly today (multi-user access is on the roadmap).
• Be thoughtful about who you share portal links with. A portal link is the access mechanism — anyone with it can claim the portal session. Don't post links publicly. It's fine to share within a client's internal team — that's a designed-for use case.
• Revoke and regenerate portal tokens when needed. If you suspect a portal link has been compromised, you can revoke and regenerate it from the client's share page. The old link will stop working immediately.
• Delete clients you no longer work with. Cleaner than leaving stale portals. The full delete removes all their files, comments, events, and access tokens.
• Review your client list regularly. Once a quarter, scan and clean up.

Reporting a security issue

If you believe you've found a security vulnerability in Droplana, please email security@droplana.com with details. We take all reports seriously and aim to respond within 72 hours.

We do not currently offer a paid bug bounty, but we deeply appreciate responsible disclosure and will publicly credit researchers who report valid issues (with their permission).

Please do not publicly disclose vulnerabilities before we've had a reasonable opportunity to fix them.

Frequently asked questions

Is Droplana suitable for highly sensitive work (legal, financial, medical)? For everyday legal and financial document work — contracts, tax documents, project files, client communication — Droplana is a major upgrade over email and shared cloud drives. For specifically regulated work that requires certified record-keeping (e.g., HIPAA-protected health information, SEC-regulated financial communications), please confirm your specific obligations before signing up. We're happy to walk through what Droplana does and doesn't do.

Can I delete my data? Yes. You can delete individual files, delete entire client portals, or delete your full account at any time. Account deletion is irreversible — we do an immediate, complete hard delete: all files in object storage, all comments, all download events, all sessions, all subscription metadata. There is no "deleted accounts" trash.

Can I export my data? Yes. The Account page includes "Export data", which produces a complete JSON export of your business, all clients, all files (with metadata, sizes, statuses), all comments and seen state, all download events, and all invoices. This is available on every plan, including Free.

What happens if I stop paying? When a paid subscription is canceled (by you, or due to repeated payment failure), you keep full access until the end of your billing period plus a 15-day grace period. After that, you return to free-tier limits — your account stays open, but you'll be limited to your free-tier client count. If you're over the limit at that point, we keep your most recently created client and remove the rest.

Do you have a Data Processing Agreement (DPA)? Yes. It's published at /dpa. A counter-signed copy is available on request — email security@droplana.com.

Are clients' files visible to other clients? No. Each client portal is isolated by architecture. There is no shared workspace model. We additionally verify slug ownership on every portal request to prevent cookie reuse across portals.

Where is my data stored? In the European Union — on Hetzner infrastructure in Germany. Application servers, PostgreSQL database, and S3-compatible file storage all reside in EU regions. Transactional email is delivered via Brevo (France).

Do you sell my data? No. Never.

Do you train AI models on my data? No.

Do you use Google Analytics or other tracking? No. Droplana does not run analytics scripts or trackers. Our only product-usage visibility comes from server logs needed to operate and secure the service.

What audit logging do you keep? We log key security events using structured logs: login requests, successful logins, failed logins, logouts, access token generation and revocation, portal accesses, account deletions, and rate-limit hits. These logs are for our internal security and incident response — not currently exposed in the user dashboard, but available on request if you have a specific compliance need.

One more thing

Security pages tend to be either reassuring fluff or impenetrable jargon. We've tried to write something honest, plain, and useful — closer to how we'd explain it on a call than how legal would write it.

If you have specific questions this page doesn't answer, email us at security@droplana.com. A real person will respond.

Trust isn't built by claiming everything. It's built by being clear about what's true.