Trust & Security

Built for sensitive life-admin

CertaNest is built around private, user-owned document workflows. This page is an honest beta transparency draft and should receive legal and security review before wider public launch.

We describe only safeguards that are actually implemented. Where a protection has limits, we say so plainly below.

How CertaNest protects your data

Encrypted at rest

Uploaded files are encrypted at rest. CertaNest decrypts a file only after its permission checks pass.

Owner-scoped access

Documents, files, reminders, checklists, application packs, exports, and account controls are scoped to the signed-in user.

Selected-item sharing

Sharing exposes only the items you choose. Your wider vault is never shared by default.

Expiry & revocation

Shares and emergency access can expire and be revoked. Revoked or expired access is blocked server-side.

Hashed access codes

Optional access codes for shared items are stored hashed, never in plain text, and verified on the server.

Secret-free exports

Structured exports include document metadata and summaries, not raw storage paths or share access codes.

Honest limitations

Watermarking can help discourage misuse, but no web app can fully prevent screenshots on every device.
Public links remain useful only because of the protections you set — use expiry, revocation, and access codes appropriately.
Do not store full card numbers or banking credentials in CertaNest.
Do not paste passwords or access codes into feedback or support messages.
CertaNest does not provide legal, medical, immigration, tax, or financial advice.

What CertaNest does not do

We do not claim zero-knowledge or 'military-grade' encryption.
We do not claim to make screenshots impossible.
We do not process payments or connect to your bank or card accounts.
We do not sell your documents.
We do not show raw IP addresses in normal internal product views.

Current beta boundaries

Full raw-file archive exports are not available yet.
Frontend token handling is acceptable for development; production should move toward HttpOnly cookie handling.
AI-assisted document processing is not enabled as a third-party file-processing pipeline in this beta.

Responsible disclosure

If you believe you have found a security issue, please report it privately through the Contact page rather than disclosing it publicly. Do not include real access codes, share tokens, or document contents in your report — a clear description and steps to reproduce are enough.

Privacy draft Data & deletion Join the waitlist