Document Security
Your documents are locked by design.
Passport copies, transcripts, and IPA documents are among the most sensitive files you will ever share. Here is exactly how PathPort protects them.
Security controls
Private encrypted storage
All documents are stored in private buckets — not publicly accessible URLs. Retrieval requires a time-limited signed link generated server-side. A direct URL to your passport copy cannot be guessed or scraped by anyone outside the system.
Encryption at rest and in transit
Documents are encrypted at rest using AES-256 on Supabase infrastructure hosted in Singapore (AWS ap-southeast-1). All data in transit is encrypted via TLS 1.2+. Unencrypted document transfers do not occur at any stage.
Role-based access control
Only your enrolled college and PathPort administrators with a logged, verifiable reason can retrieve your documents. Student-facing download links are generated per-request and expire after 60 minutes. Colleges cannot access documents for applications they did not originate.
Row-level security (RLS)
PathPort's database enforces row-level security at the database layer — not just the application layer. This means even if an application bug occurred, database queries from one college or student cannot return rows belonging to another.
Document storage reference
| Document | Stored | Who can access | Retention |
|---|---|---|---|
| Passport copy | Yes — private bucket, per-student prefix | Your enrolled college + PathPort admin | 7 years (statutory requirement) |
| Academic transcripts & mark sheets | Yes — private bucket | Your enrolled college + PathPort admin | 7 years |
| Offer letter (from college) | Yes — scoped to college + application | Student + enrolled college + PathPort admin | 7 years |
| IPA / Student Pass document | Yes — scoped to college + application | Student + enrolled college + PathPort admin | 7 years |
| Payment proof / receipt | Yes — private bucket | Student + enrolled college + PathPort admin | 7 years |
| Bank statement / financial proof | Yes — private bucket | Enrolled college + PathPort admin only | 7 years |
To report a security concern
Email pathportsg@gmail.com with the subject line "Security concern". Include as much detail as possible. PathPort acknowledges all security reports within 24 hours.