Security

Datieve is designed to keep your file metadata on your infrastructure. Here's how we approach security and privacy.

Self-hosted by design

The Datieve agent runs on your NAS. The database is stored locally. Your file metadata never passes through our servers.

This isn't an afterthought—it's the core design. We chose self-hosting because many of our target users (legal, healthcare, engineering) can't or won't send file information to third parties.

What we see (and don't see)

We receive

  • Your license key (for validation)
  • Count of active indexed files
  • Count of deleted (ghost) files

This data is sent once per day during the license check-in.

We never receive

  • File names
  • File paths
  • File contents
  • User names or emails
  • Search queries
  • IP addresses of your NAS

Agent security

Authentication

The admin panel requires a token (auto-generated on first run). User authentication uses bcrypt-hashed passwords stored in the local database.

Network exposure

The agent listens on your local network only. It's not exposed to the internet by default. We recommend keeping it behind your firewall and only accessible from trusted workstations.

Read-only access

The agent only reads files to gather metadata (name, size, modification time). It never writes, modifies, or deletes your files. You can mount volumes as read-only.

Rate limiting

The WebSocket API is rate-limited to prevent abuse. Admin sessions allow 20 requests/second, user sessions allow 10.

Data storage

Local database

All indexed metadata is stored in a SQLite database on your NAS. The file lives in the agent's data directory (typically a Docker volume).

What's stored

  • File paths and names
  • File sizes and modification times
  • Whether files are directories
  • Deletion status and timestamps (for ghosts)
  • User accounts and group memberships
  • Folder permission assignments

Encryption

The database is not encrypted at rest by default. If you require encryption, use filesystem-level encryption on your NAS or an encrypted Docker volume.

Website & payments

Payment processing

Payments are processed by Stripe. We don't store credit card numbers. Stripe handles PCI compliance.

Account data

We store your email address, license key, and subscription status in our database. This is used for license validation and customer support.

Cookies

The website uses session cookies for the admin dashboard. We don't use tracking cookies or third-party analytics.

Security questions?

If you have specific security requirements or questions about compliance, reach out and we'll provide details.

Contact us →