SECURITY

Security architecture

This page explains how Saklat protects your data. Questions: security@saklat.com

Last updated: July 2026

  • Privacy-compliant
  • Encrypted storage
  • Responsible disclosure
  • TLS in transit
  • Tenant isolation
  • Append-only audit log

DATA FLOW

Data flow overview

The browser connects to the app over TLS; the app enforces tenant isolation; documents are read from storage via signed URLs; every action is written to the audit log.

BrowserSaklat appObject storageAudit logTLS

CONTROLS

TLS 1.2+

Encryption in transit

All client-server communication uses TLS. Data between browser and application is encrypted in transit.

AES-256

Encryption at rest

Uploaded documents are stored encrypted in object storage. Your data is protected at the storage layer.

SHA-256

Password security

User passwords are stored with modern hashing algorithms. Plaintext passwords are never kept or logged.

TOTP

Two-factor authentication

Optional for all accounts; can be required on enterprise plans. Adds an extra verification layer to your account.

TENANT-ID

Tenant isolation

Every database query passes through an organization filter. One organization cannot access another's data.

SIGNED-URL

Short-lived signed URLs

File access uses short-lived signed URLs. Links expire when their lifetime ends.

MAGIC-BYTE

File type validation

Every upload is checked for extension, MIME type, and content signature. Mismatched files are rejected.

OPAQUE-KEY

Opaque storage names

Documents are stored under random, meaningless names. Original filenames are not visible at the storage layer.

AUDIT-LOG

Immutable audit log

Every access, upload, download, and delete is written to an append-only audit log.

HASH-TOKEN

Share link security

Share tokens are stored hashed. Optional password protection and expiry are supported.

RATE-LIMIT

Rate limiting

Authentication endpoints and share link access go through Redis-based rate limiting.

BACKUP

Daily backups

Database and storage layers are backed up regularly.

ERASE-30D

Data erasure requests

Data erasure flow: permanent deletion after a 30-day waiting period, with proof recorded.

DISCLOSURE

Responsible disclosure

If you find a security issue, please report it to security@saklat.com. We respond within a reasonable time and work to resolve it.

Keep paperwork in one place.