Security at drpr

Files uploaded to drpr are stored on Cloudflare R2 infrastructure. Storage region: Western Europe (WEUR) — Cloudflare R2.

If your organisation requires data to remain within a specific geography, contact us at security@drpr.host to discuss regional configuration.

• HTTPS everywhere

  All traffic is encrypted with TLS 1.2+. HSTS with a 2-year policy and preload ensures browsers enforce HTTPS before the first request leaves the device.

• Encryption at rest

  Files stored on Cloudflare R2 are encrypted at rest with AES-256. Database data on Supabase is encrypted at rest by default.

• API key hashing

  API keys are hashed with SHA-256 before being stored. We never store them in plaintext — if our database were compromised, raw keys would not be exposed.

• Password protection per project

  Any project can be gated with a password. Failed attempts are rate-limited to 5 per hour per IP — further attempts trigger a 1-hour lockout.

• API key authentication

  Programmatic access requires a Bearer token scoped to your account. Keys can be revoked instantly from the dashboard.

• Rate limiting

  Anonymous uploads are limited to 3 per 24 hours per IP. API endpoints enforce per-key rate limits to prevent abuse.

• Row-Level Security

  Every database query runs through Supabase Row-Level Security policies. Users can only read or write their own data — enforced at the database layer, not just the application layer.

• SSO with Google Workspace

  Links can be restricted to specific Google Workspace domains. Authentication is handled entirely by Google — drpr never sees passwords or credentials.

• Access revocation

  Revoking a user's Google Workspace account immediately invalidates their access to all SSO-gated drpr links. No manual step required.

• Domain-scoped sharing

  When you publish a link with SSO enabled, only email addresses within your Google Workspace domain can open it.

• No account required

  You can upload and share files with zero personal information. Anonymous uploads are managed via a site token — we never associate them with an identity.

• Links are private by design

  Uploaded files are not indexed by search engines and URLs are not guessable. Only people you share the link with can access your files.

• Retention & deletion

  Free-tier files are automatically deleted after 14 days. Paid plan files are retained until you delete them or close your account. You can delete any project instantly from your dashboard.

• Privacy-first analytics

  drpr uses Cloudflare Web Analytics — a cookieless, GDPR-compliant analytics tool. No personal data is collected, no cookies are set, and no data is shared with third parties like Google.

• No data selling

  We do not sell your data to any third party. Full details in our Privacy Policy.

• Data Processing Agreement

  Organisations subject to GDPR can request our standard Data Processing Agreement (DPA) by emailing security@drpr.host. You can also view our standard DPA.

• No code execution

  Uploaded files are served as static assets only — nothing is executed on our servers. HTML, JavaScript, and other files are delivered directly to the browser as-is.

• Abuse reporting

  Anyone can report content that violates our Terms of Service at drpr.host/report. Reports are reviewed and actioned promptly.

• Prohibited content

  CSAM, malware, phishing, and illegal content are strictly prohibited and result in immediate removal and account termination. See our Terms of Service for the full acceptable use policy.

We monitor drpr.host and core services continuously. Incidents, scheduled maintenance, and historical uptime are published publicly.

Found a vulnerability? Please tell us before anyone else. We respond within 48 hours and we do not pursue legal action against good-faith security researchers.

Email us at security@drpr.host. Our machine-readable disclosure policy is available at /.well-known/security.txt.