Security at FileRequest

Your data stays in Australia.

All FileRequest data — client documents, form responses, account information, and metadata — is stored exclusively in the ap-southeast-2 region on Amazon Web Services. That's Sydney, Australia.

We made this decision deliberately. Australian professional services firms operate under the Australian Privacy Act 1988 and have obligations to their clients regarding where sensitive information is held. Storing data offshore — in the US or EU, as most of our competitors do — creates compliance complexity and erodes client trust.

With FileRequest, your clients' documents never leave Australian shores. That's not a marketing claim — it's a technical fact built into our infrastructure from day one.

Encryption everywhere.

All data transferred between your clients, your browser, and FileRequest is encrypted in transit using TLS 1.2 or higher. All data stored on our servers — documents, form responses, account data — is encrypted at rest using AES-256.

This means that even in the unlikely event of a storage breach, the raw data is unreadable without the encryption keys. Those keys are managed by AWS and are never accessible to FileRequest staff.

Client portals are private by design.

When you send a document request, your client receives a unique token-based link. That link is tied to their specific request and their specific email address. There are no public portals, no shared links, and no way for one client to access another client's portal.

This means:

• A client cannot access their portal without the link sent to their email
• The link cannot be guessed or brute-forced — it is a cryptographically random UUID
• If a client forwards the link, the recipient sees only that client's portal — not any other client's data
• Portals automatically become read-only 30 days after the due date and deactivate at 90 days

For practices handling identity documents, TFNs, financial records, or any other sensitive materials — this access model is materially more secure than email attachments, shared Dropbox folders, or publicly accessible form links.

Row-level database security.

FileRequest is built on Supabase with row-level security (RLS) enforced at the database level — not just at the application layer.

This means that even within our own database, every query is scoped to the authenticated organisation. Your firm's data is structurally isolated from every other firm's data. It's not just an application-level check — the database itself enforces that your data can only be read by queries authenticated to your account.

We don't sell your data. Ever.

FileRequest is a subscription software business. Our revenue comes from subscription fees — not from your data or your clients' data.

We do not sell client data to third parties. We do not share client data with advertisers. We do not use client documents or form responses to train AI models. We do not use your clients' data for any purpose other than operating the FileRequest service for your firm.

The only third parties who handle your data are our infrastructure providers — AWS (data storage, Sydney) and Vercel (application hosting) — and they are bound by strict data processing agreements.

Data retention — clear rules, not vague policies.

We believe you should know exactly how long your data is kept. Here's how FileRequest handles retention:

Client files

Files submitted by your clients are retained for the duration of your subscription and for a period after according to your plan tier. Files are never automatically deleted without notice.

Reference files

Files you attach to requests as reference materials for your clients are deleted when the request is deleted.

Requests

Requests go read-only 30 days after the due date. At 90 days past due, requests deactivate. Your submitted files remain accessible.

Account data

If you cancel your FileRequest subscription, your data is retained for 30 days to allow export, then permanently deleted.

You can request deletion of your data at any time by contacting us at privacy@filereq.com.

What we use to run FileRequest.

We believe in transparency about our infrastructure. Here are the key providers we use and what they handle:

Amazon Web Services (Sydney, ap-southeast-2)

All data storage. Documents, database, and backups. AWS is bound by a Data Processing Agreement and ISO 27001 certified.

Supabase

Database and authentication layer. Row-level security enforced. Data hosted on AWS ap-southeast-2.

Vercel

Application hosting and edge delivery. Serves the FileRequest web application. No client documents are stored on Vercel infrastructure.

Amazon SES

Outbound email delivery for document request notifications and reminders. Email content is processed transiently and not stored by SES.

Twilio

SMS reminder delivery on Practice and Firm plans. Message content is processed transiently.

Stripe

Payment processing. FileRequest never stores credit card numbers. All payment data is handled exclusively by Stripe, which is PCI DSS Level 1 certified.

Australian Privacy Act 1988.

FileRequest is an Australian business operated under Australian law. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Our full Privacy Policy is available at filereq.com/privacy. It covers in detail what personal information we collect, how we use it, how we protect it, and how you or your clients can access or correct it.

If you have a privacy concern or believe your information has been handled incorrectly, contact us at privacy@filereq.com. We will respond within 5 business days.

Responsible disclosure.

If you discover a security vulnerability in FileRequest, we want to know about it. Please contact us at security@filereq.com with details of the issue. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it. We appreciate the work of security researchers who help make software safer.