Skip to content
boveDAM
FeaturesPricingBlogDocsDesigners & StudiosBrand OwnersAgencies
Sign inStart free trial
ENES

Security and privacy

How storage works

Where files are stored and how boveDAM protects them.

Every file you upload to boveDAM is stored in a private cloud object storage bucket. Understanding how that storage is structured — and how files are delivered to your clients — helps you explain boveDAM's security posture with confidence.

Private buckets and encryption at rest

boveDAM does not use public storage buckets. There is no URL pattern you can guess or iterate to access files directly. All objects live in private buckets managed by the cloud provider, inaccessible to the public internet by default.

Every file is encrypted at rest using AES-256, managed by the cloud provider's key management service. This means:

  • Files are unreadable even if someone were to gain access to the raw storage layer
  • Encryption and decryption happen transparently — you do not need to do anything to enable it
  • The encryption keys are managed by the cloud provider's infrastructure, not stored alongside the files

This protection applies to every file regardless of plan — Free, Studio, and Agency workspaces all receive the same encryption standard.

How files are delivered: signed URLs

When a portal member or portal visitor clicks to view or download an asset, boveDAM does not send them the file directly from a static URL. Instead, it generates a signed URL — a time-limited, cryptographically authenticated link that grants temporary access to a single file.

Every signed URL:

  • Is valid for 5 minutes after generation
  • Is bound to a specific file path using a SHA-256 HMAC signature
  • Cannot be transferred to a different file — the signature is path-specific
  • Becomes a 403 Forbidden response after it expires

This means your clients never hold a permanent, shareable link to any asset. A URL copied from a browser's network inspector or download manager will stop working within minutes. For more detail on this mechanism, see Signed URLs and TTL.

What this means for your clients

Your portal visitors experience signed URLs transparently — they click a file and it opens or downloads. The URL they see in the browser address bar or in their download history expires quickly. If they share that URL with someone outside the portal, it will not work after the TTL window passes.

This is an intentional design choice: boveDAM portals are the access control boundary. Clients can share portal access with the people they trust by contacting you, not by forwarding a raw file link.

Storage quota and recomputation

Storage usage is tracked at the workspace level and is shared across all portals. The storage meter in Account settings reflects the most recent quota calculation. Quota is recomputed by a background job that runs every 24 hours, so there may be a short delay between uploading or deleting files and seeing the updated number in the dashboard.

If you delete a large batch of files and need the quota to update sooner — for example, if uploads are blocked because you are near the limit — contact support@bovedam.com to request an immediate recompute.

Multi-region availability

boveDAM's storage infrastructure uses a cloud provider with multi-region replication. Files are automatically replicated to at least one secondary region, providing resilience against regional outages. You do not need to configure replication — it is on by default for all workspaces.

See also: Signed URLs and TTL · Deletion and retention · Plans and upgrades