QikDrive

Security at QikDrive

Your files are private, encrypted, and deleted automatically. Here's exactly how we keep them that way.

How we protect your files

Encrypted in transit

Every byte between your browser and our servers is protected by TLS 1.3. Connections that don't meet this standard are refused.

Encrypted at rest

Files are stored using AES-256 server-side encryption on Cloudflare R2. Encryption keys are managed by Cloudflare and never exposed.

Data stays in India

All file storage is within India. We do not replicate your data to servers outside the country. This aligns with India's data localisation expectations.

Zero content access

We do not read, scan, or access the contents of your files. Files are treated as opaque binary blobs — only you and your recipient can open them.

Password protection

Add a password to any transfer. Passwords are hashed with bcrypt before storage — we cannot recover or read your password. Brute-force attempts are rate-limited.

Auto-expiry & deletion

Every transfer has an expiry date. When it hits, files are permanently and irreversibly deleted from our storage. No soft-deletes, no lingering copies.

Download limits

Pro users can cap how many times a file can be downloaded. Once the limit is reached, the link deactivates automatically.

Abuse prevention

Transfers can be reported for illegal or harmful content. Reported transfers are reviewed and removed. Repeat offenders are blocked.

Engineering practices

  • HTTPS enforced on all endpoints — no HTTP fallback.
  • Authentication tokens are short-lived JWTs signed by Supabase Auth.
  • All API routes verify the caller's identity server-side before touching any data.
  • Row-level security (RLS) is enabled on all database tables — the anon key has zero read access.
  • Service-role keys are server-only and never sent to the browser.
  • Presigned R2 URLs are scoped to individual files and expire in minutes.
  • No third-party JavaScript with access to file data or auth tokens.
  • Dependency updates and security advisories are reviewed regularly.

File lifecycle

1

Upload

Files are chunked in the browser and uploaded in parallel directly to Cloudflare R2 via short-lived presigned URLs. No file data passes through our API servers.

2

Storage

Chunks are assembled and stored encrypted at rest in a private R2 bucket in India. The bucket has no public access — files are only reachable via presigned download URLs.

3

Download

When a recipient clicks a download link, our API verifies the transfer is active, generates a presigned GET URL valid for a short window, and redirects the browser. No file data passes through our servers.

4

Expiry

At expiry, a background job permanently deletes all files from R2 storage and marks the transfer inactive. The link returns 410 Gone immediately after.

Found a security issue?

We take vulnerability reports seriously. Please disclose responsibly by emailing security@qikdrive.com. We aim to respond within 48 hours and will credit researchers who report valid issues.

Start transferring securely

Free. No account needed. Files encrypted end-to-end.

Send files nowPrivacy policy