Draftpile holds proof of non-refundable sponsorship spend, so the people who buy it — and their compliance teams — need to trust it. This page explains the controls that protect your workspace, your organizer links, and the proof you store.
Owner workspaces are protected by account authentication. Organizer upload pages are account-less by design, but each contact receives a private link and must pass the invited-email gate before uploading proof.
Room slugs and workspace slugs are not authorization. Server-side checks decide access.
Draftpile keeps workspace data isolated so one workspace cannot read or change another workspace’s rooms, contacts, files, or exports.
Production data access is enforced on the server and backed by database row-level security.
Draftpile’s application data and uploaded proof are stored in the European Union — the AWS eu-west-1 region (Ireland). Data at rest stays in the EU.
Infrastructure is managed cloud (Supabase for the database and storage); we don’t run our own servers.
Uploaded proof is stored in private storage and served through short-lived signed links. We validate file type and size before accepting it.
Original filenames are kept as metadata; storage paths are generated by the system.
You stay in control of your proof. Export a proof pack of any room whenever you like, and delete a room, contact, or submission at any time — deletion takes effect in your workspace immediately.
Guest-created rooms that are never claimed expire automatically. To delete your entire workspace and its data, contact us and we’ll remove it.
Draftpile supports owner sign-in with email and Google. Auth redirects are restricted to Draftpile-owned routes and domains.
Your event organizer doesn’t need an account, which keeps the upload flow simple while limiting what each link can access.
Your data stays in the EU, isolated per workspace with row-level security, and served only through short-lived signed links.
If your security team needs a DPA, a specific retention policy, or a vendor security review, talk to us through the contact page and we’ll work through it.
We monitor errors, abuse patterns, and important security events so we can investigate issues quickly.
If you believe you’ve found a vulnerability, contact us through the contact page with enough detail for us to reproduce it.
Draftpile applies rate limits and plan limits to sensitive actions such as uploads, exports, emails, and Assist features.
These limits help protect customer data and keep the service reliable.