Your documents deserve serious protection
CollectRelay handles sensitive financial and legal documents every day. We built security into every layer — not as an afterthought, but as a foundation.
Encryption everywhere
In transit
All connections use TLS 1.3 encryption. Every page, every API call, every file upload is encrypted between your browser and our servers. HSTS is enforced to prevent downgrade attacks.
At rest
Uploaded documents are stored in Cloudflare R2 with server-side encryption. Files are encrypted on disk and are never stored unencrypted at any point in the pipeline.
Secure file URLs
Document download links are signed with time-limited tokens. They expire automatically, so even if a link is shared accidentally, it stops working.
Access controls
Role-based access
Professionals and clients have completely separate access levels. Clients can only see and interact with their own transaction — never another client's documents.
Magic link authentication
Clients access their portal through unique, expiring magic links — no passwords to forget or reuse. Each link is tied to a specific transaction and email address.
Session management
Pro sessions are managed via secure, HTTP-only cookies with strict same-site policies. Sessions expire automatically and can be terminated at any time.
Infrastructure security
CollectRelay runs entirely on Cloudflare's global network. Our infrastructure provider maintains the following certifications:
These certifications are held by Cloudflare and cover the infrastructure CollectRelay runs on. They provide assurance that the underlying platform meets rigorous security and operational standards.
DDoS protection
Cloudflare's global network automatically mitigates distributed denial-of-service attacks before they reach our application.
Web Application Firewall
A managed WAF inspects all incoming requests and blocks common attack patterns including SQL injection, XSS, and request forgery.
Global edge network
Content and application logic runs at the edge across 300+ data centers, reducing latency and providing built-in redundancy.
Application security
Input sanitization
All user input is validated and sanitized server-side. We use parameterized queries to prevent injection attacks and strip potentially malicious content from uploads.
Content Security Policy
Strict CSP headers prevent cross-site scripting by controlling which scripts, styles, and resources can be loaded on each page.
Rate limiting
API endpoints are rate-limited to prevent abuse. Authentication endpoints have stricter limits to mitigate brute-force attempts.
File type validation
Uploaded files are validated by type and size. We check actual file content, not just extensions, to prevent disguised malicious files.
Audit trail & monitoring
Complete audit log
Every document upload, download, comment, review, and status change is logged with a timestamp and actor. You always know who did what and when.
Activity notifications
Real-time in-app and optional desktop notifications alert you when clients upload documents or when your agent reviews items — so nothing falls through the cracks.
Transaction history
A full timeline of every action is available on each transaction. This creates an auditable record for compliance and dispute resolution.
Privacy & compliance
Data minimization
We collect only what's necessary to operate the service. We don't sell user data, don't run ads, and don't share documents with third parties.
CCPA ready
California residents can request access to, deletion of, or information about their personal data. We honor all CCPA data subject requests.
GLBA aware
Many of our customers — accountants, mortgage brokers, financial advisors — are subject to the Gramm-Leach-Bliley Act. Our security controls are designed to help them meet their obligations.
Compliance roadmap
We're committed to continuously raising the bar. Here's what's on our roadmap:
SOC 2 Type II (Application)
Pursuing our own SOC 2 Type II certification to provide customers with independent assurance of our security controls.
GDPR compliance
Full GDPR compliance for customers with European clients, including data processing agreements and EU data residency options.
Penetration testing
Engaging third-party security firms for regular penetration testing and publishing summary results.
Questions about security?
We take security seriously and are happy to discuss our practices in detail.