How your records are encrypted
- In transit — all traffic between you and LtdRecord is encrypted (TLS).
- At rest, with a key unique to your company. Every signed PDF and uploaded evidence file is sealed with AES-256-GCM under a data key that belongs to your company alone, and that key is itself stored encrypted (envelope encryption). A leak of the storage layer would yield ciphertext, not your records.
- Deletion destroys the key. Deleting a company — or your whole account — destroys its encryption key, so even a stray copy of a stored file becomes unreadable.
- What we don’t claim. LtdRecord generates and renders your documents on our servers, so our systems hold the keys — this is not end-to-end encryption, and we won’t pretend otherwise. What we promise is narrower and true: per-company keys, no admin screen that browses your files, and deletion that means it.
Access to your data
- Passwordless sign-in. You log in with a short-lived one-time code sent to your email. There are no passwords to steal, and code entry is rate-limited against guessing.
- Every request is ownership-checked. Records, files, previews, and exports are only ever served to the signed-in account that owns them — enforced on the server for every byte, not hidden in the interface.
- Records you email can only go to your own address or the accountant saved in your settings — the send path can’t be used to relay mail elsewhere.
Where your data lives
- All traffic is encrypted in transit (TLS).
- Structured data (account, company, records) lives in a managed Postgres database (Neon) with automated backups.
- Signed PDFs and uploaded evidence live in private object storage (Cloudflare R2), encrypted with your company’s key as above — objects are never publicly addressable and are only served through the ownership checks above.
- Card details never touch our servers — payments are handled by Stripe.
Abuse resistance
- Rate limits on sign-in, document generation, uploads, and email sending.
- Upload limits and file-type allowlisting on evidence files.
- Document previews are watermarked and rendered server-side; the underlying templates never ship to the browser.
Reporting a vulnerability
If you believe you’ve found a security issue, please email info@9s-labs.com with enough detail to reproduce it. We’ll acknowledge within two working days, keep you informed, and won’t take action against good-faith research.