Security at LinkVault

LinkVault is a secure file delivery platform where clients preview first and unlock the final files only after payment. Because we bridge the gap between creative deliverables and financial compensation, we take a zero-trust approach to client delivery.

We built our infrastructure around a principle of layered, enterprise-grade controls. Each layer — encryption, access gating, viewer protections, and audit trails — independently reduces risk. This is the exact opposite of sending an email attachment.

Data at Rest

All uploaded files are encrypted using AES-256-GCM before being written to disk. Encryption keys are managed server-side and are never exposed to end users or viewer sessions. Files are decrypted on-the-fly only when served through the authenticated viewer.

Data in Transit

All communication between your browser and LinkVault servers is encrypted via HTTPS (TLS 1.2+). This includes file uploads, viewer sessions, API calls, and webhook deliveries.

Payment Data

Payment processing is handled entirely by Stripe (PCI DSS Level 1). LinkVault never stores, processes, or has access to full credit card numbers.

LinkVault provides multiple access control layers that you can combine based on document sensitivity:

• Password Protection — Require a password before the viewer loads. Share link and password via separate channels for best security.
• Email OTP Verification — Require recipients to verify their identity via a one-time code sent to their email (Professional+ plans).
• Domain Whitelisting — Restrict access to specific email domains (e.g., @company.com) for enterprise deals.
• Approval Workflows — Require your explicit approval before any visitor can view. You review and grant each access request.
• Expiration Dates — Set links to auto-expire after a specific time window (1 hour to 30 days).
• View Limits — Restrict the number of times a link can be opened (single-view links).
• Session Time Limits — Control how long a single viewing session can last before re-authentication.

The LinkVault viewer is designed to make viewing the default outcome, not downloading. It implements multiple layers of anti-capture technology:

Anti-Download

• Inline rendering — Documents are rendered inside the browser viewer, not served as direct file downloads.
• No direct file URLs — Content is served through authenticated, session-bound API endpoints with HMAC-signed cookies. There are no public URLs pointing to raw files.
• Right-click disabled — Context menus are suppressed to reduce casual save-as actions.
• Drag-and-drop disabled — All media elements (images, canvas, video, audio, SVG) have drag events blocked.

Anti-Print

• Ctrl+P / Cmd+P blocked — The keyboard shortcut is intercepted and suppressed before the browser can respond.
• beforeprint event handler — If the browser print dialog is triggered by any means (menu, extensions), the page content is hidden immediately.
• CSS @media print — Multiple layers of CSS rules ensure a blank page if printing somehow proceeds.
• Dynamic CSS injection — Anti-print styles are injected into the DOM at runtime and re-injected automatically if removed (via MutationObserver).

Anti-Screenshot

• PrintScreen intercepted — Content is blurred and the clipboard is cleared.
• Win+Shift+S / Cmd+Shift+3/4/5 blocked — OS-level screenshot shortcuts trigger an immediate content blur.
• Tab/window blur detection — Content is obscured when the viewer tab loses focus or the window is minimized.
• Generic keypress blur — Any unrecognized keypress temporarily hides content for 500ms as a catch-all defense.
• Dynamic watermarks — IP address, timestamp, or custom text overlays create traceability for any captured content.

Anti-Tampering

• DevTools detection — The viewer monitors for open browser developer tools (via window size analysis and console inspection) and blurs content when detected.
• Canvas API override — HTMLCanvasElement.toDataURL() and .toBlob() are overridden to return blank data when called by external scripts, preventing programmatic screenshot capture.
• MutationObserver DOM protection — A persistent observer watches for removal or modification of security elements (anti-print CSS, watermark overlays) and re-injects them immediately if tampered with.
• Clipboard clearing — The system clipboard is cleared after every key event to remove any captured content.

Anti-Copy

• Ctrl+C / Cmd+C blocked — Copy shortcuts are intercepted and the clipboard is wiped.
• Document-level copy event handler — All copy events are caught and neutralized.
• Text selection disabled — CSS user-select: none is enforced on all non-input elements.
• Keyboard shortcuts blocked — Ctrl+S (save), Ctrl+U (view source), F12 (DevTools), and Ctrl+Shift+I/J/C are all intercepted.

We believe transparency builds more trust than marketing claims. Here is an honest breakdown:

✅ What LinkVault effectively prevents

• Direct file downloads — Viewers cannot download the original file without authorization (or payment).
• Casual right-click saves — Standard browser save mechanisms are suppressed.
• Unauthorized access — Layered access controls ensure only intended recipients can view.
• Indefinite access — Expirations and view limits automatically end access windows.
• Untracked sharing — Every view is logged with IP, timestamp, location, and device.

⚠️ What LinkVault deters but cannot guarantee prevention

• Screenshots and screen recording — Any content visible in a browser can be captured. Watermarks and short sessions reduce the incentive and value of captures.
• Photography of screens — A phone camera pointed at a monitor bypasses all software controls. Watermarks provide traceability.
• Determined technical users — Browser developer tools and network inspection can sometimes extract rendered content. LinkVault adds friction, but a sufficiently motivated and technical recipient may find ways around viewer restrictions.

The goal is not perfection — it is raising the cost of misuse high enough that it is not worth the effort for the vast majority of recipients. For most professional use cases, this is sufficient.

All outgoing webhooks (Slack, Discord, Generic URL) support HMAC-SHA256 signing. When you configure a signing secret, every webhook payload includes an X-LinkVault-Signature header that you can verify server-side to ensure the payload was not tampered with.

Webhook payloads are delivered over HTTPS and include structured JSON with event type, link metadata, and (for purchase events) transaction details.

• Data Residency — Our primary infrastructure and file storage are hosted on IONOS servers located in the EU.
• Backups & Recovery — We perform automated daily backups of our database to ensure data integrity. Backups are encrypted and retained for 30 days.
• HTTPS everywhere — All endpoints enforce TLS encryption.
• Secure session management — Authentication uses HTTP-only, secure, SameSite cookies.
• Rate limiting — API endpoints are rate-limited to prevent brute force and abuse.
• Input validation — All user inputs are validated and sanitized server-side.
• CORS policies — Cross-origin requests are restricted to authorized domains.
• Dependency management — Dependencies are regularly updated and monitored for known vulnerabilities.

GDPR

LinkVault processes data in accordance with GDPR principles. Users can request data export or deletion. See our Privacy Policy for complete details.

PCI DSS

Payment processing is fully delegated to Stripe (PCI DSS Level 1 certified). LinkVault does not store, process, or transmit cardholder data.

Data Retention

Uploaded files and link metadata are retained while your links are active or until you delete them. Account data is retained while your account is active. Support communications are retained for service purposes.

If you discover a security vulnerability, we ask that you report it responsibly to:

hello@linkvault.biz

We take all reports seriously and aim to triage issues within 48 hours. We request a standard 30-day responsible disclosure window to allow us to patch the vulnerability before any public disclosure.