legal

Security

last updated June 2026

Draftpile holds proof of non-refundable sponsorship spend, so the people who buy it — and their compliance teams — need to trust it. This page explains the controls that protect your workspace, your organizer links, and the proof you store.

01Access control

Owner workspaces are protected by account authentication. Organizer upload pages are account-less by design, but each contact receives a private link and must pass the invited-email gate before uploading proof.

Room slugs and workspace slugs are not authorization. Server-side checks decide access.

02Data isolation

Draftpile keeps workspace data isolated so one workspace cannot read or change another workspace’s rooms, contacts, files, or exports.

Production data access is enforced on the server and backed by database row-level security.

03Hosting & data residency

Draftpile’s application data and uploaded proof are stored in the European Union — the AWS eu-west-1 region (Ireland). Data at rest stays in the EU.

Infrastructure is managed cloud (Supabase for the database and storage); we don’t run our own servers.

04Uploads & files

Uploaded proof is stored in private storage and served through short-lived signed links. We validate file type and size before accepting it.

Original filenames are kept as metadata; storage paths are generated by the system.

05Retention & deletion

You stay in control of your proof. Export a proof pack of any room whenever you like, and delete a room, contact, or submission at any time — deletion takes effect in your workspace immediately.

Guest-created rooms that are never claimed expire automatically. To delete your entire workspace and its data, contact us and we’ll remove it.

06Authentication

Draftpile supports owner sign-in with email and Google. Auth redirects are restricted to Draftpile-owned routes and domains.

Your event organizer doesn’t need an account, which keeps the upload flow simple while limiting what each link can access.

07Compliance & enterprise

Your data stays in the EU, isolated per workspace with row-level security, and served only through short-lived signed links.

If your security team needs a DPA, a specific retention policy, or a vendor security review, talk to us through the contact page and we’ll work through it.

08Monitoring & response

We monitor errors, abuse patterns, and important security events so we can investigate issues quickly.

If you believe you’ve found a vulnerability, contact us through the contact page with enough detail for us to reproduce it.

09Limits

Draftpile applies rate limits and plan limits to sensitive actions such as uploads, exports, emails, and Assist features.

These limits help protect customer data and keep the service reliable.

Questions about this policy? Contact us →