TLS 1.2+
Encryption in transit
All client-server communication uses TLS. Data between browser and application is encrypted in transit.
SECURITY
This page explains how Saklat protects your data. Questions: security@saklat.com
Last updated: July 2026
DATA FLOW
The browser connects to the app over TLS; the app enforces tenant isolation; documents are read from storage via signed URLs; every action is written to the audit log.
CONTROLS
TLS 1.2+
All client-server communication uses TLS. Data between browser and application is encrypted in transit.
AES-256
Uploaded documents are stored encrypted in object storage. Your data is protected at the storage layer.
SHA-256
User passwords are stored with modern hashing algorithms. Plaintext passwords are never kept or logged.
TOTP
Optional for all accounts; can be required on enterprise plans. Adds an extra verification layer to your account.
TENANT-ID
Every database query passes through an organization filter. One organization cannot access another's data.
SIGNED-URL
File access uses short-lived signed URLs. Links expire when their lifetime ends.
MAGIC-BYTE
Every upload is checked for extension, MIME type, and content signature. Mismatched files are rejected.
OPAQUE-KEY
Documents are stored under random, meaningless names. Original filenames are not visible at the storage layer.
AUDIT-LOG
Every access, upload, download, and delete is written to an append-only audit log.
HASH-TOKEN
Share tokens are stored hashed. Optional password protection and expiry are supported.
RATE-LIMIT
Authentication endpoints and share link access go through Redis-based rate limiting.
BACKUP
Database and storage layers are backed up regularly.
ERASE-30D
Data erasure flow: permanent deletion after a 30-day waiting period, with proof recorded.
DISCLOSURE