Document Handling Policy

Effective date: 1 April 2025 · Last updated: 26 April 2026

This policy explains in plain language exactly how CertVault handles your uploaded documents — where they are stored, who can see them, how they are scanned, and what happens if a problem is detected. It supplements our Privacy Policy.

1. What Documents You Can Upload

CertVault supports the following document categories:

Certificates — general professional certifications.
Licences — state and territory-issued trade and professional licences.
CASA Licences — aviation-related licences issued by the Civil Aviation Safety Authority.
Electrical Licences — licensed electrical workers' cards and registrations.
Security Licences — security industry licences.
Medicals — occupational health and fitness-to-work certificates.
Immunisations — vaccination records and health declarations.
Flag Endorsements — maritime flag state endorsements.
Working Visas — work rights documentation for non-citizens.
Site Safety Cards — construction induction, white cards, and site access cards.

Accepted file formats are PDF, JPG, PNG, and HEIC. The maximum file size per upload is 10 MB.

2. Where Your Documents Are Stored

Uploaded files are stored in Supabase Storage, a cloud storage service operated by Supabase, Inc. (USA). Files are:

Stored in encrypted form at rest using AES-256 encryption.
Transmitted over encrypted connections (HTTPS/TLS) at all times.
Organised within isolated storage buckets by document type.
Accessible only through authenticated API calls — files are not publicly accessible via URL.

Infrastructure is hosted in data centres in the United States. By uploading to CertVault, you consent to this cross-border storage as described in our Privacy Policy.

3. Who Can See Your Documents

3.1 You

You always have full access to all documents you have uploaded. You can view, download, and delete your documents at any time from your dashboard.

3.2 Employers

Employers who have hired you (i.e., you appear in their workforce) can view your documents through the platform. Employers access documents via a secure authenticated API route — they cannot access raw storage URLs directly.

You can see which employers have access to your profile from your dashboard. Removing yourself from an employer's workforce revokes their access immediately.

3.3 CertVault Staff

CertVault administrators have access to document metadata (upload dates, expiry dates, file names) for platform management and support purposes. Direct access to document file contents by staff is restricted and logged.

3.4 Third-Party Security Scanning

All uploaded documents are submitted to VirusTotal (a service operated by Google LLC) for malware and security scanning. VirusTotal may retain submitted files indefinitely for threat-intelligence purposes in accordance with their own privacy policy.

Important for sensitive documents. If you upload medical fitness certificates, immunisation records, or other documents containing sensitive personal information, those files are also submitted to VirusTotal as part of routine scanning. By uploading any document to CertVault, you consent to this scanning. If you would prefer not to share a particular document with a third-party security vendor, do not upload it to CertVault.

3.5 No Public Access

Documents are never made publicly accessible. There are no public profile pages that expose your documents to unauthenticated users.

4. Security Scanning

Every document uploaded to CertVault is automatically submitted to VirusTotal for malware scanning. The scanning process works as follows:

When you upload a document, it is marked as "pending" scan.
The file is submitted to VirusTotal's API for analysis.
VirusTotal's scanning engines analyse the file for malware, viruses, and other threats.
Results are returned within approximately 60 seconds for most files.
If the file is clean, it is marked with a green indicator on your dashboard.
If the file is flagged as infected, it is immediately deleted from storage, and the record is marked as infected. You will need to re-upload a clean version.

Scan results (clean / infected / pending) are displayed alongside each document in your dashboard. A clean scan result means no malware was detected — it does not verify the document\'s authenticity.

5. Document Expiry Tracking

CertVault tracks expiry dates for supported document types and provides automated expiry reminders. Specifically:

Expiry dates are entered by you at the time of upload and are not independently verified.
Automated email reminders are sent before a document expires (default: 30 days before expiry).
Expired documents are visually flagged in your dashboard and in employer views.
Expired documents remain accessible — they are not automatically deleted.

6. Deleting Your Documents

You can delete any document from your dashboard at any time. When you delete a document:

The file is removed from Supabase Storage.
The document record and metadata are permanently removed from the database.
Employer access to that document is immediately revoked.
There is no recovery window or "trash" — deletion takes effect immediately.

Deletion is permanent. We recommend you download and keep a personal copy of any important documents before deleting them from CertVault. Whole-account closure is handled separately and may include a short post-closure grace period — see our Data Retention Policy.

7. Your Responsibilities

By uploading documents to CertVault, you confirm that:

The documents are genuine and accurately reflect your qualifications or credentials.
You have the right to share the documents and doing so does not breach any third-party rights.
You will keep documents up to date and remove or replace documents that expire or become invalid.

8. Contact Us

For questions about document handling or to request document deletion:

CertVault (Australian sole trader)
ABN: 51 371 573 935
2 Tandang Sora Street
Labason, Zamboanga Del Norte
Philippines 7117
Email: legal@certvaultapp.com