Product
Transfer Files Speed test Leaderboard
Developers
API Integrations
Pricing
Company
Features Security About Contact
Log in Sign up
Security & Privacy

Your files. Your rules.

We built Trinsfer with the same defensive posture we'd want for our own data: encryption in transit, hashed credentials, expiring tokens, and zero ad-tracking — ever.

Encryption in transit

Every byte travels over HTTPS with TLS 1.2+ and HSTS enforced via Cloudflare. We force all HTTP traffic to HTTPS at the edge and never serve content on insecure channels.

  • TLS 1.2 / TLS 1.3 only
  • HSTS with includeSubDomains
  • Cloudflare proxied; modern cipher suites

Hashed credentials

Passwords are never stored. We hash them server-side with bcrypt (cost 11) before saving, and rotate the hash automatically when stronger parameters become available.

  • bcrypt cost 11+
  • No plain-text password logs
  • Brute-force lockout (5 attempts / 15 minutes)

Expiring share tokens

Every transfer gets a short, cryptographically-secure random token. Tokens stop working at the configured expiration time — no orphaned links, ever.

  • CSPRNG-generated tokens
  • Optional password gate
  • Soft-delete with 7-day grace

GDPR-friendly by design

No marketing pixels. No third-party trackers. We store the bare minimum: your email, optional OAuth identity, and the files you choose to share. Export or delete your data with a single click.

  • Right to access & delete
  • Data exports on request
  • Cookies limited to session + theme/locale

Technical safeguards

Session securityHttpOnly + SameSite=Lax cookies, automatic HTTPS detection, 30-day sliding expiration with proxy-aware renewal.
Email integrityTransactional emails sent via Brevo over authenticated SMTP/HTTPS. SPF, DKIM and DMARC aligned with the trinsfer.com domain.
Verbose audit logsEvery login, download and admin action is logged with IP and user-agent. Logs retained for 30 days, then automatically purged.
HostingEU data center; database backed up every 6 hours with 7-day point-in-time recovery. Off-site backups encrypted at rest.
OAuth securityX.com integration uses OAuth 2.0 + PKCE; Telegram logins are cryptographically verified using HMAC-SHA256 on every callback.
ReportingFound a vulnerability? Email security@trinsfer.com with details — we acknowledge reports within 48 hours and credit researchers in our hall of fame.