SendDeck is built to handle your most important sales documents. Here is how we keep them safe.
UK-based servers
All SendDeck application data — including your documents, account details, and viewer analytics — is stored on servers physically located in the United Kingdom, operated by Fasthosts Internet Ltd. Your data never leaves the UK without explicit safeguards.
Dedicated VPS
SendDeck runs on a dedicated Virtual Private Server, not shared hosting. Your data is not co-mingled with other customers' data at the infrastructure level.
HTTPS everywhere
All connections to SendDeck are encrypted in transit using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
Regular backups
Application data is backed up regularly. Backups are stored in encrypted form and tested periodically to verify they can be restored.
Password hashing
Passwords are hashed using bcrypt before storage. We never store or transmit your plain-text password. Even if our database were ever compromised, your password would not be exposed.
Email verification
New accounts created with an email and password require email verification before they can be used, reducing the risk of account creation with fraudulent email addresses.
Session management
Authenticated sessions use secure, HttpOnly cookies with a 24-hour lifetime. Sessions are invalidated on logout.
CSRF protection
All state-changing requests (form submissions, API calls) are protected by CSRF tokens, preventing cross-site request forgery attacks.
OAuth sign-in
We support sign-in via Google and LinkedIn. When you use these, your password is managed entirely by those providers — we only store a provider-specific identifier.
Workspace isolation
Documents, share links, and analytics are scoped to workspaces. Members of one workspace cannot access the data of another.
Unguessable share links
Every share link has a cryptographically random slug. There is no sequential or predictable ID — a valid link cannot be guessed by trial and error.
Password-protected documents
On paid plans, you can add password protection to a document. Viewers must enter the correct password before the document is displayed. Passwords are stored using bcrypt hashing.
Link expiry
You can set an expiry date on any share link. After the expiry date, the link stops working automatically — no manual intervention required.
Instant deactivation
You can deactivate any share link instantly from your dashboard. The link stops working immediately without deleting your analytics data.
Bot filtering
Automated bot traffic is detected using user-agent analysis and excluded from your analytics, so your engagement data reflects real human visitors.
No public indexing
Document viewer pages are served with instructions to prevent search engine indexing, so your shared documents do not appear in Google search results.
UK GDPR compliant
SendDeck is operated by Riverforge Ltd, a UK-registered company. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
IP address anonymisation
When a viewer opens your document, we record a one-way cryptographic hash of their IP address. We cannot reverse this hash to recover the original IP.
Data minimisation
We collect only the data needed to deliver the analytics service. We do not collect names or email addresses of document viewers unless you have separately identified them.
Account deletion
When you delete your account, all your personal data — documents, workspaces, share links, and analytics — is permanently and irreversibly deleted. There is no hidden archive.
Sub-processor controls
We use a small, documented list of sub-processors (see our Privacy Policy). Each is bound by a data processing agreement. We do not sell your data to third parties.
No ads on viewer pages
We do not run advertising or third-party tracking scripts on document viewer pages. Your recipients are not tracked by advertising networks when they view your documents.
If you discover a security vulnerability in SendDeck, we ask that you report it to us privately so we can fix it before it is publicly disclosed. Please email [email protected] with details. We aim to acknowledge reports within 48 hours and resolve confirmed issues as quickly as possible. We do not offer a formal bug bounty programme at this time.
Read our Privacy Policy