Security & privacy

Security isn't a feature. It's the foundation.

Your documents are some of the most sensitive things you own. We take that seriously: Stoatify is built privacy-first at the architecture level, so your files stay yours, whether you are one person or a whole company.

  • Encrypted in transit
  • Private by architecture
  • No ads, ever
  • No training on your data

How we protect your documents

Six principles, enforced in code.

Not promises in a policy. These are properties of how the system is built.

Proxied, never exposed

The browser never talks to object storage. Every byte flows through the API behind your authenticated session, with server-side credentials. Buckets stay fully private, with no public or pre-signed URLs to leak.

Visible only to the right people

Your identity is verified on every single request. A document you are not allowed to see returns a 404, not a 403, so your vault never reveals even that something exists.

Encrypted in transit and at rest

Everything moves over TLS. Files rest in encrypted object storage, and sensitive secrets like IMAP passwords are sealed with authenticated encryption before they are ever stored.

Private by default, always

No ads. We never sell your data and never train AI on your documents. Privacy is the default state of the product, not a switch you have to find and turn on.

Scoped, revocable AI access

Text extraction (OCR) runs on-device, so document contents are not shipped off for processing. Assistants connect through short-lived, scoped capabilities you can revoke at any time.

You hold the keys to your data

Export or permanently delete everything whenever you want. Deleted items are purged on a fixed schedule, and a revoked share or trashed file stops resolving immediately.

The central design choice

Your files never touch the open internet.

Most apps hand your browser a direct link to a storage bucket. Stoatify does not. Every upload, preview and download is proxied through the API behind your authenticated session, with storage credentials that only the server holds.

  • No public or pre-signed storage URLs to guess, share or leak
  • Storage keys are never sent to the browser
  • Previews and downloads use short-lived, single-document tokens
  • A trashed file or revoked link stops resolving immediately
The Stoatify vault, with every file served through the authenticated API

Built for everyone

Whether it is just you, or your whole team.

The same secure foundation, with the controls each of you needs.

For you

Your passports, taxes, medical records and receipts belong to you and no one else. Stoatify keeps them that way.

  • Your personal vault is private to you by default
  • OCR runs on your device, contents are not sent away to be read
  • No ads, no data selling, no training on your documents
  • Password-protected, expiring share links for a single file or a whole saved search, revocable any time
  • Encrypted in transit, stored behind your login
  • Export or delete everything, on your schedule

For your team

Give the right people the right access, prove who can touch what, and bring your own identity provider.

  • Strict per-organization isolation: another tenant's data 404s, no existence leak
  • Role-based access control with a full permission matrix
  • Per-document and per-folder permissions; share by exception
  • Groups for granting access to whole teams at once
  • SSO / SAML / OIDC with your identity provider
  • Scoped, revocable AI access and an activity audit trail
  • HMAC-signed webhook payloads, delivered through an SSRF-guarded sender
Access control: members, roles, groups and per-document permissions

Access control

Everyone sees exactly what they should.

Documents are shared across an organization by default and restricted by exception. Assign built-in or custom roles, group people by team, and lock any document or folder down to specific people when it is sensitive.

  • A full role-based permission matrix across every object type
  • Per-document and per-folder access lists, with owner bypass
  • SSO / SAML / OIDC so sign-in stays centralized
  • Immutable version history: every re-upload is kept, and any prior version restores in a click
  • A complete field-level audit trail and an org-wide activity feed of who changed what, and when
  • An organization audit log of administrative actions, plus configurable Trash retention you control

AI, on your terms

Smart, without giving your documents away.

The text extraction that powers search runs on-device, so the contents of your scans never leave your host to be read. When you connect an AI assistant, it gets a narrow, revocable key, not the run of your vault.

  • On-device OCR: document contents are not shipped off for processing
  • We never train AI models on your documents
  • Assistants connect over MCP with short-lived, scoped capabilities
  • Revoke access at any time; trashing a file cuts it off instantly
Connect an AI assistant with scoped, revocable access over MCP

Under the hood

The engineering behind the promise.

Verified identity

Sign-in is handled by a dedicated identity provider (Clerk). Tokens are verified on every request with no network round-trip, and refreshed automatically on key rotation.

Short-lived capabilities

Previews and downloads use signed, time-boxed tokens scoped to a single document. They are re-checked live against the database, so they die the instant a file is trashed or a link is revoked.

Abuse resistant

Upload size is capped at the edge, and uploads, link resolves and content streams are rate limited. Share-link passwords are bcrypt-hashed and compared in constant time.

Reviewed by design

The access boundary has been through independent adversarial review. Every document query is scoped server-side, and storage keys are never exposed to clients.

Your data, your call

You can always take it back.

Lock-in is not a security strategy. Your documents are yours to leave with, or to erase, at any moment.

Export anytime

Download your originals whenever you want. Nothing is held hostage.

Delete for real

Permanently remove documents; deleted items are purged from storage on a fixed schedule.

No surprises

No ads, no selling your data, no training AI on your documents. Ever.

Found something? We welcome responsible disclosure at security@stoatify.com.

Documents you can finally trust to one place.

Private by architecture, secure by default. Start free in under a minute.

No credit card required