This page is the technical reference for procurement and security review teams evaluating Vukorix. It describes how content is encrypted, who can decrypt what, and where the architectural boundaries are. Wording on this page is engineering-reviewed; the external-review caveat at the bottom defines what we have and haven't certified.
One-line summary. Vukorix offers two ways to handle sensitive content: Standard secure processing (server-managed AES-256-GCM at rest, for workflows that need the server to read the document) and Private mode (browser-encrypted AES-256-GCM, for the files where Vukorix should never see plaintext). The mode is chosen per workflow before send and cannot be switched afterwards.
Standard secure processing encrypts your content at rest on Vukorix's servers using AES-256-GCM with a key Vukorix manages. This lets the application perform server-side operations — generating previews, fielding e-sign workflows, processing form submissions, applying redactions, scanning uploads for malware — and gives you a complete audit trail. Vukorix can decrypt this content when the application needs to (and would comply with valid legal process). We do not access your content casually; we encrypt access, scope it by organisation, and audit every event.
Private mode is end-to-end encrypted for supported file exchange workflows. Your browser generates a per-share data encryption key (DEK), encrypts the content with AES-256-GCM before upload, and only ever sends ciphertext to Vukorix. The DEK either travels with the link as a URL fragment (Secure Share, Secure Exchange owner → recipient), or is wrapped under the recipient's RSA-OAEP-2048 public key (Secure Receive, Secure Exchange recipient → owner) so the recipient can decrypt in the browser without Vukorix ever seeing the key.
Private mode applies to Secure Share, Secure Receive, and Secure Exchange file exchange in both directions (recipient → owner uploads + owner → recipient outgoing files). E-Sign, Smart Forms, redaction, document previews, the Document Library, and the Secure Exchange message thread continue to use Standard secure processing — each of those needs the server to read the document in some way, or in the case of Exchange messaging is not currently offered at all on Private mode (the Private Exchange messaging UI is disabled at launch; Standard Exchange messaging remains available under the master key).
Private mode protects content. It does not pretend that no metadata exists. Vukorix retains the application-level data needed to operate the service: sender identity, workflow timestamps, file size, and integrity checks for the ciphertext. Vukorix does not retain the recipient's IP address or user-agent on Private mode audit rows; the dedicated private recipient domain (p.vukorix.com) uses a separate Apache log format that omits client IPs.
Vukorix cannot honestly promise that no metadata exists anywhere on the internet. DNS providers, ISPs, corporate networks, VPNs, and the user's own browser all produce metadata that is outside our control. Our claim is precise: on systems Vukorix operates, recipient IP and user-agent are minimised on Private mode events.
Both modes ship with every Vukorix plan. Choose per workflow.
| Standard secure processing | Private mode | |
|---|---|---|
| Where encryption happens | On Vukorix servers | In your browser |
| Who can decrypt | Vukorix can decrypt to perform document processing | Only the recipient (Share / Receive / Exchange-files) |
| Filename privacy | Filenames stored encrypted under server key | Optional — encrypt with the file in browser |
| Recipient IP / user-agent in audit | Recorded | Minimised — not stored on Private events |
| Recipient link hostname | app.vukorix.com | p.vukorix.com |
| Vukorix recovery if you lose access | Possible (admin path) | Not possible by design |
| Best for | E-Sign, Smart Forms, redaction, previews, Document Library, audit-heavy flows | Cases where Vukorix should never see plaintext |
| Available on | Share · Receive · Exchange · E-Sign · Smart Forms · Redaction · Document Library | Share · Receive · Exchange (files) |
All primitives below are pre-quantum primitives implemented via standard, audited browser and server libraries. Vukorix does not roll its own cryptography.
| AES-256-GCM | Symmetric authenticated encryption for both Standard secure processing at rest (server-managed key, unique IV per file) and Private mode browser-side file encryption (per-share DEK generated in the browser, unique IV per chunk). Files are encrypted in 4 MB chunks. |
|---|---|
| RSA-OAEP-2048 | Asymmetric wrapping of the per-share DEK in Secure Receive Private mode and Secure Exchange (recipient → owner) Private mode. The recipient's browser generates the DEK, wraps it under the account owner's RSA public key, and stores the wrapped DEK alongside the ciphertext. Only the owner's browser can unwrap. |
| URL fragment delivery | The data encryption key for Secure Share Private mode and Secure Exchange (owner → recipient) Private mode is base64url-encoded and placed in the URL fragment (#k=...). Fragments are browser-only and never reach Vukorix's servers in HTTP requests. Optional passphrase protection wraps the fragment with a key only the recipient knows. |
| TLS (transport) | Every connection to vukorix.com, app.vukorix.com, and p.vukorix.com is encrypted with TLS. Cloudflare fronts the main app domains for DDoS protection; the private recipient domain uses a separate origin Apache log format that omits client IPs. |
| PBKDF2 (account passphrase) | Account passphrases derive an encryption key via PBKDF2, used to unlock the user's stored private key (which is itself stored on Vukorix only in wrapped form, encrypted under the passphrase-derived key). Vukorix never sees the plaintext passphrase or the plaintext private key. |
| HMAC-SHA256 (audit) | Audit-trail integrity uses HMAC-SHA256 chaining so individual audit rows cannot be silently rewritten without invalidating subsequent rows. |
| Hosting region | DigitalOcean Sydney (SYD1). Production application + database + uploaded files all reside in the Sydney region. Cloudflare fronts vukorix.com and app.vukorix.com. |
|---|---|
| Database | MySQL managed instance. Daily snapshots (DigitalOcean) and nightly logical dumps (mysqldump) retained per retention policy. |
| File storage | Encrypted at rest on a dedicated 100 GB mounted volume. Every uploaded file is AES-256-GCM encrypted; per-org 10 GB storage quota with dashboard gauge + alert cron. |
| File-size caps | 100 MB for Secure Share / Receive / Exchange uploads. 50 MB for E-Sign source PDFs. 20 MB for Smart Forms source PDFs. 2 MB for organisation logos. |
| Virus scanning | Warden runs against every uploaded file. Suspicious uploads are quarantined and the uploader is notified. |
| Public-link retention | Secure Share links: 180 days max. Secure Receive: 30 days max. Secure Exchange: 7 days minimum. E-Sign documents: 90 days post-completion. Audit certificates: 365 days. Custom retention windows available for organisations. |
| Audit logging | Every owner action — create, send, view, download, expire, cancel, share, sign — lands in the audit log with timestamp, actor, target, and (for Standard) recipient IP / user-agent. Private mode audit rows omit recipient IP and user-agent by design. |
| Burn semantics | When a Secure Share is burned (by view cap, expiry, or owner manual-expire), the underlying ciphertext bytes are permanently destroyed on disk. Neither Vukorix support nor an admin can recover them. Audit metadata is preserved. |
| Admin path | Platform admins can list and cancel objects across organisations from a dedicated admin surface. They see metadata only — never decrypted content for Private mode objects, and for Standard mode they trigger decryption only via the application's audit-logged paths. |
| Owner sign-in | Email + password with mandatory 2FA; Google OAuth; Microsoft OAuth; Passkeys; TOTP authenticator apps; SMS one-time codes in selected supported countries. |
|---|---|
| Recipient verification | Recipients never create an account. Per-share options: none / 4-digit PIN / SMS one-time code. PIN gates and SMS gates are owner-configured at create time and can be edited mid-flight on Secure Receive and E-Sign. |
| Admin sign-in | Platform admins authenticate via the same paths as owners with stricter session limits and elevated audit logging. |
| SMS country allowlist | SMS verification is available in selected supported countries. The allowlist is maintained centrally and reviewed before each launch wave; it is not advertised as "worldwide". |
Vukorix's hero positioning is "SOC 2 Ready Architecture" and "GDPR-Compliant Design" — each is a scoped description of how the platform was built, not a certification claim.
| GDPR-Compliant Design | Vukorix's data-minimisation defaults — zero data retention, encrypted-at-rest customer payloads, recipient-without-account model, organisation-scoped tenancy — align with GDPR's privacy-by-design principles. The privacy and terms pages acknowledge cross-border data transfer for non-AU users. |
|---|---|
| SOC 2 Ready Architecture | Vukorix's audit logging, role separation, encryption posture, change-management discipline, and incident-response playbook were designed with SOC 2 Type 2 control families in mind. The "Architecture" suffix is deliberate: this is a description of how the system was built, not an audit attestation. A SOC 2 audit has not been initiated. |
| AU Privacy Act | Vukorix is operated from Australia. The Australian Privacy Principles inform how we structure data handling, retention, and breach notification. AU-specific framing can be added to your procurement responses on request. |
| External cryptographic review | Planned post-launch. Until it's published, our architectural claims are grounded in the codebase and documentation referenced above — happy to walk procurement teams through the engineering record on request. |
Manual PDF redaction is available inside the Smart Forms editor and the E-Sign edit page. You draw rectangles over the text you want to hide. The PDF service rasterises the page, paints the rectangles opaque, and re-emits an image-only PDF that's FPDI-compatible. There is no text under the black box — copy-paste from the region yields nothing, OCR cannot recover it, and redaction is irreversible at the PDF layer.
It is a manual tool. Vukorix does not scan for or classify sensitive data automatically. Word and Excel files must be converted to PDF first. Redaction uses Standard secure processing because the server has to rasterise and re-flatten the PDF.
Vukorix retains the metadata required to run the service (sender identity, timestamps, file size, ciphertext integrity hashes). For Private mode content, we hold only ciphertext — a legal process directed at Vukorix would produce only the ciphertext we hold. For Standard secure processing content, Vukorix manages the encryption key and can decrypt under valid legal process or customer-administrative action. Network metadata outside Vukorix (DNS, ISP, Cloudflare for the main app) is governed by those providers' policies, not ours.
No. Vukorix provides Private mode for supported file exchange workflows where content is encrypted in your browser before upload. Standard secure processing remains available for workflows that require server-side document processing, such as E-Sign, Smart Forms, redaction, and previews.
Private mode is available on Secure Share, Secure Receive, and Secure Exchange (file exchange in both directions — recipient → owner uploads + owner → recipient outgoing files). The Secure Exchange message thread is a Standard-mode feature only at launch. E-Sign, Smart Forms, redaction, and the Document Library are Standard secure processing only.
No. Private mode is designed so Vukorix cannot recover the decrypted content. Keep the recipient link and any passphrases safe.
It can. Each workflow offers a filename privacy option in Private mode — for example, the recipient sees a generic label like "Document 1" instead of the original filename until they unlock the share.
No system can honestly promise that across every internet layer. Vukorix minimises Private mode metadata in application and server-controlled systems and uses a dedicated private recipient domain, but DNS providers, ISPs, corporate networks, and your browser may still process connection metadata Vukorix cannot see or control.
Not at launch. The Private Exchange messaging UI is disabled — Private Exchange is files-only at launch (both directions, browser-encrypted). If a workflow needs a message thread alongside file exchange, use Standard Secure Exchange; the message thread there is server-side encrypted under the master key, the same model as the rest of Standard mode.
Those workflows need the server to read the document — to detect form fields, overlay your signature, or apply redaction boxes. Server-side access and end-to-end encryption are mutually exclusive. We chose to keep them as Standard secure processing rather than ship a fake "Private" mode that wouldn't really be private.
Vukorix engineering documentation, code, and architecture are tracked in detail. An independent external cryptographic audit has not been completed at this time. We will publish the external-audit status when one is available; in the meantime, our public claims are scoped to architectural properties we can demonstrate in code.
Vukorix retains the metadata required to run the service (sender identity, timestamps, file size, ciphertext integrity hashes). For Private mode content, we hold only ciphertext — a legal process directed at Vukorix would produce only the ciphertext we hold. For Standard secure processing content, Vukorix manages the encryption key and can decrypt under valid legal process or customer-administrative action. Network metadata outside Vukorix (DNS, ISP, Cloudflare for the main app) is governed by those providers' policies, not ours.
Procurement, security, or legal team needs more detail than this page provides? Request our extended architecture document.