Document Handling Policy

Effective date: 1 April 2025 · Last updated: 1 April 2025

This policy explains in plain language exactly how CertVault handles your uploaded documents — where they are stored, who can see them, how they are scanned, and what happens if a problem is detected. It supplements our Privacy Policy.

1. What Documents You Can Upload

CertVault supports the following document categories:

Certificates — general professional certifications.
Licences — state and territory-issued trade and professional licences.
CASA Licences — aviation-related licences issued by the Civil Aviation Safety Authority.
Electrical Licences — licensed electrical workers' cards and registrations.
Security Licences — security industry licences.
Medicals — occupational health and fitness-to-work certificates.
Immunisations — vaccination records and health declarations.
Flag Endorsements — maritime flag state endorsements.
Working Visas — work rights documentation for non-citizens.
Site Safety Cards — construction induction, white cards, and site access cards.

Accepted file formats are PDF, JPG, PNG, and HEIC. The maximum file size per upload is 10 MB.

2. Where Your Documents Are Stored

Uploaded files are stored in Supabase Storage, a cloud storage service operated by Supabase, Inc. (USA). Files are:

Stored in encrypted form at rest using AES-256 encryption.
Transmitted over encrypted connections (HTTPS/TLS) at all times.
Organised within isolated storage buckets by document type.
Accessible only through authenticated API calls — files are not publicly accessible via URL.

Infrastructure is hosted in data centres in the United States. By uploading to CertVault, you consent to this cross-border storage as described in our Privacy Policy.

3. Who Can See Your Documents

3.1 You

You always have full access to all documents you have uploaded. You can view, download, and delete your documents at any time from your dashboard.

3.2 Employers

Employers who have hired you (i.e., you appear in their workforce) can view your documents through the platform. Employers access documents via a secure authenticated API route — they cannot access raw storage URLs directly.

You can see which employers have access to your profile from your dashboard. Removing yourself from an employer's workforce revokes their access immediately.

3.3 CertVault Staff

CertVault administrators have access to document metadata (upload dates, expiry dates, file names) for platform management and support purposes. Direct access to document file contents by staff is restricted and logged.

3.4 Third-Party Security Scanning

All uploaded documents are submitted to VirusTotal (a service operated by Google LLC) for malware and security scanning. VirusTotal may retain submitted files for threat intelligence purposes in accordance with their own privacy policy. By uploading documents to CertVault, you consent to this scanning.

3.5 No Public Access

Documents are never made publicly accessible. There are no public profile pages that expose your documents to unauthenticated users.

4. Security Scanning

Every document uploaded to CertVault is automatically submitted to VirusTotal for malware scanning. The scanning process works as follows:

When you upload a document, it is marked as "pending" scan.
The file is submitted to VirusTotal's API for analysis.
VirusTotal's scanning engines analyse the file for malware, viruses, and other threats.
Results are returned within approximately 60 seconds for most files.
If the file is clean, it is marked with a green indicator on your dashboard.
If the file is flagged as infected, it is immediately deleted from storage, and the record is marked as infected. You will need to re-upload a clean version.

Scan results (clean / infected / pending) are displayed alongside each document in your dashboard. A clean scan result means no malware was detected — it does not verify the document\'s authenticity.

5. Document Expiry Tracking

CertVault tracks expiry dates for supported document types and provides automated expiry reminders. Specifically:

Expiry dates are entered by you at the time of upload and are not independently verified.
Automated email reminders are sent before a document expires (default: 30 days before expiry).
Expired documents are visually flagged in your dashboard and in employer views.
Expired documents remain accessible — they are not automatically deleted.

6. Deleting Your Documents

You can delete any document from your dashboard at any time. When you delete a document:

The file is removed from Supabase Storage.
The document record and metadata are soft-deleted from the database.
Employer access to that document is immediately revoked.
The file is fully purged within 90 days in accordance with our Data Retention Policy.

Deletion is permanent. We recommend you download and keep a personal copy of any important documents before deleting them from CertVault.

7. Your Responsibilities

By uploading documents to CertVault, you confirm that:

The documents are genuine and accurately reflect your qualifications or credentials.
You have the right to share the documents and doing so does not breach any third-party rights.
You will keep documents up to date and remove or replace documents that expire or become invalid.

8. Contact Us

For questions about document handling or to request document deletion:

CertVault Pty Ltd
Email: legal@certvault.com.au