TeamVault is a secure team file vault designed for organizations that need controlled document sharing without per-user pricing complexity. Built with a cloud-native architecture using Next.js APIs, Cloudflare R2 object storage, and PostgreSQL, TeamVault provides role-based access control, folder-level permissions, and detailed audit logging. Its core differentiator is verified downloads, which embed forensic watermarking into files that record the downloader’s email, timestamp, IP address, and file checksum, making leaks traceable and discouraging unauthorized distribution. With flat-rate storage plans and simple admin controls for users, groups, and access policies, TeamVault focuses on secure collaboration, accountability, and predictable SaaS pricing for teams managing sensitive documents.

Systems Overview

Secure collaboration requires more than simple file storage. It requires strong identity management, controlled access to documents, traceable activity, and infrastructure designed to scale.

TeamVault is built around a layered architecture that separates identity, application services, security controls, and storage infrastructure. This design allows the platform to enforce security policies consistently while maintaining a clean and scalable system structure.

At a high level, TeamVault follows a simple principle:

Authenticate the user → authorize the action → securely deliver the document → record the event.

This approach ensures that every file interaction is both controlled and auditable.

Client Access Layer

Users interact with TeamVault through two primary interfaces:

Web Application

The browser-based interface provides full access to the vault, including document upload, download, folder management, workspace administration, and verified document sharing.

Desktop Sync Client

The desktop client, built using Go and Wails, enables local folder synchronization with the TeamVault vault. Files can be uploaded, downloaded, or updated automatically while maintaining the same security and audit controls as the web platform.

Both clients communicate with the TeamVault application platform through secure API endpoints.

Identity and Authentication

TeamVault uses a centralized identity layer to ensure that all user activity is authenticated and traceable.

Authentication is handled through Auth0, which supports modern security standards including OAuth2, PKCE, and JWKS validation.

Two authentication flows are supported:

Web Sessions

Browser users authenticate through secure session cookies that establish an authenticated session with the TeamVault platform.

Desktop Tokens

The desktop client uses bearer JWT tokens to authenticate background synchronization operations.

After authentication, external identities are resolved to an internal TeamVault user record, which links the user to workspaces, permissions, and audit history within the system.

Application Platform

The TeamVault application platform coordinates all user actions and enforces system rules.

At a high level, the platform is organized around four major process areas.

Vault File Operations

Handles core document operations including uploading files, downloading files, moving documents, deleting items, and managing folders.

Administration

Provides workspace management capabilities such as user provisioning, group management, and administrative access to audit history.

Desktop Synchronization

Coordinates file synchronization between the desktop client and the vault, allowing users to keep local files in sync with the platform.

Verified Document Delivery

Enables secure external sharing of documents with optional verification controls and download protections.

These processes interact with the core service layer to enforce security policies and manage storage access.

Core Security Services

TeamVault uses a shared services layer that enforces platform security and compliance requirements.

Access Control Engine

All file operations pass through a centralized access control system that evaluates folder permissions, group memberships, and inherited access rules before allowing any action.

Audit Logging

Every significant system event is recorded in the audit log. This provides traceability for document access, administrative changes, and external file sharing.

Verified Download Engine

For externally shared documents, the verified download engine applies security policies such as expiration rules, allowlists, and download verification checks.

PDF Watermarking

When required, documents can be dynamically watermarked before delivery. The watermark includes identity information and a verification checksum to discourage unauthorized distribution.

Secure Storage Access

The platform generates short-lived presigned URLs for file transfers, allowing clients to upload or download documents directly from object storage without exposing permanent credentials.

Storage Architecture

TeamVault uses a dual-storage architecture that separates metadata from file content.

Metadata Database

System metadata is stored in a PostgreSQL database hosted through Supabase. This includes user accounts, workspace structure, group memberships, permissions, file metadata, and audit history.

Object Storage

Actual file contents are stored in Cloudflare R2 object storage. This approach provides scalable storage while keeping document binaries separate from application logic and metadata.

Separating metadata and file storage improves both performance and security while allowing the system to scale efficiently.

Secure Document Delivery

When users download or share documents, the system applies several security steps.

The platform first verifies the user’s identity and access permissions. If the document is shared externally, the verified download engine applies policy checks and may generate a dynamic watermark before delivery.

The file is then retrieved from object storage and streamed securely to the recipient. All activity is recorded in the audit log to maintain a complete record of document access.

Architecture Principles

The TeamVault architecture is built around several key design principles.

Separation of concerns

Identity, application logic, security services, and storage infrastructure are isolated into distinct layers.

Centralized security enforcement

All file operations pass through a shared access control system to ensure consistent policy enforcement.

Auditability

All important actions are recorded, providing a verifiable record of activity within the platform.

Scalability

Object storage and presigned file access allow the system to scale efficiently as vault usage grows.

Platform Summary

TeamVault combines modern authentication, policy-driven security services, and scalable cloud storage to create a secure collaboration platform.

By separating identity, access control, document processing, and storage into clear architectural layers, TeamVault provides a strong foundation for organizations that require both secure document management and verifiable activity tracking.

The result is a system designed for secure collaboration, controlled document distribution, and enterprise-grade accountability.