Skip to content

Document storage and security

This page describes where Syndik8 keeps your document files, who is allowed to read each file, and the technical limits on what you can upload.

Reference for any admin or member who needs to understand the privacy and limits of the document library before storing something sensitive.

Files are stored in encrypted-at-rest cloud storage hosted in the EEA. There is no end-user setting that changes where files live.

LimitValue
Accepted file typesPDF, JPEG, PNG, WebP
Maximum file size20 MB
Files per documentOne. Replacing the file does not create a second version; the old file is removed and the new one takes its place.

Files over 20 MB are rejected before upload: the check runs on the client, so no bytes leave your device.

Files are kept in encrypted-at-rest storage hosted in the EEA. Each file is filed under the entity it belongs to:

Document kindWho can readWho can write
Asset documentEvery member of the syndicate the asset is in.Admins of that syndicate.
Syndicate documentEvery member of the syndicate.Admins of that syndicate.
Pilot document (medical or licence)The pilot only.The pilot only.

Access is enforced at the storage layer itself, not just by the app. There is no technical way to bypass the rules by going around the app.

Every download (whether from the app, from a cached copy that has expired, or from the Share action) goes through a short-lived signed URL. The URL is generated by the server, expires within minutes, and is not guessable. There are no permanent public URLs for any document.

When you tap Share on the document viewer, Syndik8 hands the operating system a fresh signed URL. The system browser opens it, and from there you can save the file locally, email it, or send it to AirDrop / Print as usual.

When a document is uploaded, Syndik8 computes a cryptographic fingerprint of the file and stores it alongside. The offline cache uses the same fingerprint to verify that a downloaded copy matches what the server has. If the bytes don’t match, the cached copy is discarded rather than served.

For pilot medicals specifically:

  • Date of birth.
  • Medical class (Class 1, Class 2, LAPL, PMD).
  • Limitations recorded on the certificate.
  • Clinical commentary.
  • Medical examiner identity.

The only metadata Syndik8 keeps about your medical is its title (which you control), its expiry date (which you enter), and its fingerprint. Admins of your syndicate see only that a medical is recorded and its expiry date.

  • Primary storage: EEA region.
  • Backups: in-region.
  • No transfers to non-EEA infrastructure for the document files themselves.
  • Storage is gated per request. The storage layer does not serve a single byte unless the asking user passes the rules above. There is no admin override that lets a syndicate admin pull a pilot’s medical file.
  • Deletion is irreversible. When a document is deleted, the file and its record are removed together, in one operation. There is no “trash” or “recently deleted” recovery path.
  • The file follows the record. When a document is deleted, the corresponding file is removed from storage in the same step. You will not find orphaned files left behind.
  • The fingerprint protects offline copies. If a document is replaced, the next sync downloads the new fingerprint and the device discards its stale cached file before serving it.

For how the offline cache works without exposing the file beyond the device, see How offline document caching works.