Security

Private by design, local by default.

Warrivo is built so financial documents are encrypted before upload and processed locally on the desktop app.

client browser → encrypted upload → Cloudflare R2 temporary encrypted blob → desktop sync → local decrypt → local OCR + local AI → review + clean local folder → cloud blob retention delete

Browser encryption

The client upload page encrypts file bytes and original filename metadata in the browser before direct upload to R2 signed URLs.

Temporary cloud storage

Cloudflare R2 stores temporary encrypted blobs only. Cloud code handles metadata, signed URLs, audit logs, billing limits, and retention cleanup.

No cloud OCR

Cloud code does not run OCR or Qwen3-VL, and does not store OCR text, extracted fields, or plaintext filenames by default.

Desktop keys

Desktop private keys are generated locally and stored in OS Keychain. The public key is registered with the device for wrapping uploaded file keys.

5-day post-sync deletion

After desktop ACK proves download, decrypt, checksum verification, staging copy save, and local DB commit, encrypted cloud blobs are scheduled for deletion no later than 5 days later.

Remaining metadata

After cloud blob deletion, Warrivo keeps minimal metadata for audit, billing, usage limits, status, and support. This metadata does not include document contents or plaintext filenames by default.

Security contact

Report suspected security incidents to security@warrivo.com. Include the affected account email, approximate time, and whether you can share a redacted support bundle.