Back to help centre

Security and privacy

Where files are stored, how they're protected, and your rights under GDPR.

Where files are stored

All files and account data are stored on servers in the EEA — primarily Norway, with backup in other EU countries. We do not use US-based cloud services for file storage. This is a deliberate choice that simplifies GDPR compliance and minimises exposure to US surveillance legislation.

Encryption

At-rest: All files are encrypted with modern standards (AES-256) while they sit on our servers. Each file has its own unique encryption key, which in turn is encrypted with a master key.

In transit: Everything goes through TLS 1.3 — the same standard banks use. The traffic is unreadable to anyone who might intercept it along the way.

Access control

Each transfer has a URL with a long random identifier — not a guessable sequence of numbers. In addition you can add password, recipient verification and burn on delivery for extra layers of security. See the article on secure sending.

What we do with the data after expiry

When a transfer expires:

  • The file is permanently deleted within 1 hour
  • The link immediately stops working
  • Metadata about the transfer (to whom, date, status) is kept for 12 months for audit, then anonymised

Your GDPR rights

You can exercise these rights self-service:

  • Access (Art. 15) — export all your data under Account → Privacy → Export data. You get a ZIP with profile, contacts, transfer history and settings.
  • Rectification (Art. 16) — edit profile info and settings directly in the account.
  • Erasure (Art. 17) — delete the account under Account → Privacy → Delete account. All personal data is deleted within 30 days.
  • Data portability (Art. 20) — the export is in open formats (JSON, CSV) that can be imported elsewhere.

What we MUST keep by law

Norwegian accounting law requires invoices to be kept for 10 years. After account deletion the invoices are anonymised, but the accounting records themselves remain.

Virus scanning

Each file is automatically scanned for known malicious code before it becomes available for download. If we detect malware, the download is blocked and the sender is notified.

Sub-processors

We use some third-party services for specific tasks. All have Standard Contractual Clauses for GDPR transfer:

  • Stripe — payment processing
  • Email provider — sending notification emails
  • CDN — public pages load faster

A complete list is in our DPA (Data Processing Agreement), linked from the footer.

If something goes wrong

In the event of a detected breach or suspicion:

  1. We isolate the affected area immediately
  2. We notify affected customers within 72 hours
  3. Datatilsynet is notified if necessary
  4. We publish a post-mortem afterwards

So far we have not had any security incidents. When it happens, it will be documented openly.

Contact

For questions about privacy or a formal GDPR request: support@wegotfiles.no. If you believe we are processing personal data unlawfully, you can complain to Datatilsynet.