Built for secure client file collection.

Security approach

PortalLess is designed around a narrow workflow: securely request files, receive uploads, and help the firm track what is missing. We avoid unnecessary client accounts and keep access scoped to the firm workspace.

Access controls

• Firm users sign in with passwordless email authentication.
• Client upload links use long random tokens and expire after a defined request window.
• Firms can optionally require a request PIN or one-time email code before a client uploads files.
• Firm data is separated by workspace with database row-level access controls.
• Uploaded file metadata is tied to the firm, client, request, and requested file item.

File protection

• Uploaded files are stored in a private storage bucket, not a public file directory.
• Supported uploads are limited to common document and image file types.
• The current upload limit is 50 MB per file.
• File names are sanitized before storage paths are created.

Operational practices

• Production credentials should be stored only in deployment environment variables.
• Access to backend service credentials should be limited to the smallest practical set of operators.
• Security-impacting changes should be reviewed before deployment.
• A customer-facing incident response contact should be published before broad launch.

Important note

This page describes PortalLess security practices and intended controls. It is not a certification, audit report, or legal opinion. Firms should evaluate PortalLess against their own professional and regulatory obligations before using it for sensitive client files.