Security at The Client Space

The Client Space was built from the ground up to protect sensitive files and client information. Every layer of the platform — from how data is stored to how it's accessed — is designed with security in mind.

Infrastructure

Enterprise-grade providers, zero self-managed servers.

Your data is hosted on the same infrastructure trusted by Fortune 500 companies. We don't run our own servers — we rely on industry-leading providers so you get enterprise security without enterprise complexity.

• Database: Hosted on Supabase (powered by AWS), encrypted at rest with AES-256 and in transit with TLS 1.2+
• File storage: Cloudflare R2, with encryption at rest and 99.999999999% durability (eleven 9s)
• Application hosting: Vercel's global edge network with automatic HTTPS on every connection
• Payments: Stripe, PCI DSS Level 1 certified — credit card details never touch our servers

All providers maintain SOC 2 Type II certification or equivalent.

Data Isolation

Your data is yours. No exceptions.

Every account on The Client Space is completely isolated from every other account at the database level. This isn't just application logic — it's enforced by row-level security policies directly in the database.

• Each tenant's data is partitioned by a unique identifier
• Clients within a tenant can only see their own files and forms
• Staff can only access data within their organization
• File storage keys include tenant and client identifiers, preventing cross-account access

Authentication & Access Control

Multiple layers between your data and unauthorized access.

• Strong password requirements (8+ characters, mixed case, numbers, special characters)
• Multi-factor authentication (TOTP) available for all users — admins, staff, and clients
• MFA can be enforced organization-wide from your settings
• Role-based access control: admins, staff, and clients each see only what they need
• Secure session management with automatic expiry
• Invitation-based onboarding with time-limited tokens (no open registration)

File Security

Secure from upload to download.

• Files are validated on upload: type, size, and content are verified before storage
• Download links are signed and expire automatically after 15 minutes
• SVG files are forced to download (never rendered inline) to prevent scripting attacks
• Images are scanned for harmful content using automated content safety systems
• File versioning preserves previous versions so nothing is accidentally lost

Application Security

Proactive protection, not just reactive.

• Content Security Policy (CSP) headers prevent cross-site scripting
• CSRF protection on every form and API request
• Rate limiting on authentication and administrative endpoints
• Input validation and sanitization on all user-facing endpoints
• Unicode normalization to prevent filename spoofing attacks
• Regular security audits with findings tracked to resolution

Encryption

Encrypted everywhere, always.

Privacy & Compliance

Built with GDPR in mind.

• Cookie consent with granular control (essential vs. analytics)
• Google Analytics runs in Consent Mode v2 — no tracking without explicit consent, IP addresses anonymized
• End users can download all their personal data from their account settings
• End users can request account deletion, fulfilled within 30 days
• Sub-processors documented in our Privacy Policy
• Data Processing Agreements in place with all vendors
• Data retention periods defined and enforced — see our Data Retention page

Monitoring & Availability

Always on, always watched.

• Platform uptime monitored continuously with automated alerting
• All file operations (uploads, downloads, deletions) are logged for audit trails
• Incident response plan with defined severity levels and response times
• Hosted on Vercel's edge network with 99.99% uptime infrastructure

Questions?

If you have security questions or need additional details for your organization's vendor review, contact us at [email protected].

We're happy to provide additional documentation upon request.