Security

What Matterkeep actually does to protect access, files, and firm records. No certification claims, no vague reassurance.

How Matterkeep protects access

Firm-scoped data. All requests, documents, and files are scoped to a specific firm workspace. Matterkeep checks firm membership before returning any data or file, and scopes every database query to the authenticated firm. Requests from one firm cannot retrieve data belonging to another.
Session authentication. Firm staff sign in with email and password. Passwords are hashed using scrypt with a random salt. Sessions are stored in the database and expire after 7 days. Sessions are invalidated immediately on sign-out or account disablement.
Email verification. Firm users must verify their email before creating requests, uploading documents, reviewing submissions, or generating client portal links.
Admin-only controls. Team management, activity logs, and portal link controls are restricted to firm administrators. Staff members can view and act on requests but cannot change team roles or access audit records.
Security headers. All pages set Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, and Permissions-Policy. HSTS is enforced in production. Portal and API responses are not cached.
CSRF protection. State-changing API requests require a CSRF token validated via timing-safe comparison. Client portal uploads use header-based token authentication in place of CSRF.
Rate limiting. Sign-in, sign-up, and mutation routes are rate-limited. If rate-limit infrastructure (Upstash Redis) is unavailable in production, protected routes fail closed and return 503 rather than allowing unlimited requests.

How client upload links work

Token generation. Each client upload link contains a 256-bit random token generated using a cryptographic random number generator. The token has roughly 2^256 possible values and cannot be guessed.
Token storage. Tokens are SHA-256 hashed before storage. The original token is never written to the database. Comparison during validation uses timing-safe equality to prevent side-channel attacks.
Expiry. Links expire 14 days after issue by default. Expired links are rejected before any request data is returned.
Disabling. Firm administrators can disable a portal link at any time. A disabled link immediately blocks uploads, file access, and portal page rendering, even if the token has not yet expired.
Completion gate. Requests marked Complete no longer accept client uploads, even through a valid, non-expired, non-disabled link.
Scope. Each portal token is tied to a single request. The application validates the token against that specific request before returning any data. A token issued for one request does not grant access to other requests or other firms' records.
Private routes excluded from search engines. Portal, firm, API, and auth routes are blocked in robots.txt and set to no-index in page metadata. Client links do not appear in search results.

How files are stored and served

Storage provider. In production, files are stored in Cloudflare R2 using Matterkeep application credentials. The product does not expose direct object links for uploaded files.
Authenticated access. Every file download goes through an application route that validates either the firm user's session or the client's portal token before streaming the file. The portal token must be provided in a request header, not a URL query parameter.
Unpredictable storage keys. File storage keys are randomly generated UUIDs. Original filenames are stored separately in the database and are not used as storage keys. Guessing a storage key is not feasible.
Upload validation. Uploaded files are checked for supported extension, declared MIME type, extension-to-MIME consistency, and actual binary content (magic bytes). Files that do not match their claimed type are rejected before storage. Accepted types: PDF, PNG, JPG/JPEG. Maximum size: 10MB.
Encryption at rest. File encryption at rest is provided by Cloudflare R2's infrastructure. Matterkeep does not add a separate application-level encryption layer on top of provider encryption.
Previous file versions. When a client uploads a replacement file, the previous version is retained in storage and marked inactive. It is not deleted.

What activity is logged

Matterkeep records the following events in a firm-scoped activity log accessible to firm administrators:

  • Sign-in success and failure (IP address recorded; the attempted email is not stored in failure messages)
  • File uploads (success and rejection, with filename)
  • File downloads
  • Review decisions: approve and request changes, with notes
  • Portal link generated, regenerated, and disabled
  • Request and document status changes
  • Access denied events
  • Rate limit events
  • Email send and failure events
  • Team role changes

Each event records the action type, outcome, IP address, timestamp, and the user who performed the action where applicable.

Current limits

No malware or virus scanning. Files are validated for format and binary content, but Matterkeep does not run antivirus scanning. Staff review is the primary safeguard before a document is accepted.
No self-serve export or deletion. Firms cannot currently export their data or delete individual files, requests, or accounts through the product interface. These operations require contacting Matterkeep directly.
Activity log is not tamper-proof. The log is a standard database record. It is useful for operational review. It is not cryptographically signed and does not constitute a legally certifiable audit trail.
Data residency is not guaranteed. File storage region and database hosting region depend on how the deployment is configured. If your firm has specific data residency requirements, confirm the deployment configuration before onboarding sensitive client documents.
No compliance certification. Matterkeep is not certified under SOC 2, ISO 27001, HIPAA, or any other compliance framework. It is a pilot-stage product with practical controls in place.

Reporting a security issue

If you find a vulnerability or security concern in Matterkeep, contact us at security@getmatterkeep.com. We take security reports seriously and will respond promptly.