Storage & signed URLs
How Raiz’d keeps your documents private — a private bucket, owner-namespaced uploads, and short-lived signed URLs.
Your documents are sensitive, so they’re never public. Raiz’d stores them in a private bucket and only ever serves them through short-lived signed URLs tied to an active link session.
Private by default
- The documents bucket is private — files are never publicly listable or directly fetchable.
- Uploads are owner-namespaced — every file is stored under your own account’s namespace, enforced at the database and storage layer.
- When a viewer opens a link, the viewer requests a short-lived signed URL that’s only issued after the session is validated against an active link.
No cross-tenant access
Every server route that handles a storage path verifies ownership — a path can never be forged to reach another account’s file. This is enforced for signing, conversion, and viewing.
What this means for you
A deck link only works while it’s active. Pause or revoke a link and the signed URLs stop being issued — there’s no lingering public link to a file floating around. Combined with watermarking, you keep meaningful control over where your deck ends up.