Storage
Sync to the storage you already trust
Engineering firms have already chosen where their documents live. A new sealing tool that demands a new file silo creates duplicate workflows, version drift, and an 'outside the system' set of records compliance has to chase. We do not become your file system. We integrate with the file system you already have.
Executive summary
Five cloud storage providers integrated today: AWS S3, Azure Blob, Google Drive, Microsoft SharePoint, and Box. On every successful seal, the immutable PDF is enqueued for upload to your configured destination via Oban.
Sync is post-commit, retried, and trackable: we never claim a sync succeeded before the destination acknowledged. Failed uploads retry with exponential backoff and are visible to admins in the storage settings dashboard. The seal is sealed; the upload is observable.
Our commitments
Five rules for the storage integration
Sync after the seal commits, not before
Storage upload is enqueued only after the database transaction succeeds. A failed seal never produces an orphan file in your bucket.
Provider credentials are encrypted at rest
OAuth tokens, S3 access keys, SFTP passwords — all field-level AES-256-GCM with redact: true. A database read alone does not yield usable credentials.
Sync status is observable, not assumed
Per-document sync state (pending → syncing → synced → failed) is a database column you can query and alert on. We do not pretend something is uploaded if it is not.
The original is yours, not ours
The sealed PDF in your storage is yours to keep, move, archive, or audit. We do not require it to live in our infrastructure to remain verifiable — verification works from the bytes regardless of where they sit.
No silent provider fallbacks
If your S3 sync fails, we do not silently switch to a "default" location. Failed uploads stay failed and surface to your admins; you choose the recovery path.
Implementation — providers
Five integrations, one architecture
Implementation — the sync pipeline
How upload actually happens
The full picture
What is built, what is being built, and what we chose not to build
Live today
Five cloud provider integrations
LiveS3, Azure, Google Drive, SharePoint, Box.
Post-commit upload via Oban
LiveSync starts only after the seal transaction commits; no orphan files from rolled-back seals.
Encrypted credential storage
LiveOAuth tokens, S3 keys, SFTP passwords all field-level encrypted with redact: true.
Per-document sync status tracking
LiveStates are queryable; admin UI surfaces failed uploads for manual retry or investigation.
Self-service test connection
LiveAdmins verify credentials work before enabling sync; failures surface in the configuration UI, not at sealing time.
Building now
Per-folder sync rules
Building nowMap document folders to destination paths so different project areas land in different buckets / drives.
Bidirectional metadata sync
Building nowWhen a document moves in your storage, the EngineeringID record stays linked. Today, sync is one-way (EngineeringID → storage).
Two-step sync verification
Building nowPost-upload HEAD check confirms the destination object exists with the expected size and ETag before we mark sync complete.
Roadmap
Customer-managed encryption keys
RoadmapBYO AWS KMS for at-rest encryption of stored credentials and signing material. Plaintext key material would never leave your KMS.
Glacier / cold-storage tiering rules
RoadmapPer-org rules for moving very old sealed versions to cold storage while keeping verification live.
On-prem / air-gapped sync
RoadmapFor customers with a strict no-cloud posture, an SFTP-pulled sync where EngineeringID never initiates outbound to the destination.
Considered & rejected
Building our own "EngineeringID storage" as the default
Considered & rejectedA new file silo is the opposite of what enterprise customers want.
Why we rejected it: customers have already invested in S3 / SharePoint / Box. A new silo creates the exact integration friction we exist to remove. We default to "your storage, your control" with a transparent per-document sync state.
Aggressive sync retries that hammer your provider
Considered & rejectedRetrying every 30 seconds for an hour is an availability incident on the receiving end.
Why we rejected it: 5 attempts with exponential backoff respects the destination's rate limits. After the final attempt, we dead-letter and surface the failure to admins. We do not become a noisy neighbor.
Storing customer cloud credentials in plaintext for "operational ease"
Considered & rejectedA leaked credentials database is the canonical SaaS breach pattern.
Why we rejected it: every "we need plaintext for token refresh" is solvable with field-level encryption — decrypt inside the OAuth refresh path, drop, done. We pay the symmetric op; we never store plaintext.
Silent failover to a backup destination
Considered & rejected"We synced your sealed document to a different bucket because the configured one failed" is not a feature.
Why we rejected it: failed sync stays failed and surfaces to admins. Silent failover to a different location creates a permanent question of "where did this document actually go?" that compliance cannot answer.
Compliance mappings
Controls this surface satisfies
Data Transmission and Disposal
TLS 1.3 in transit; AES-256-GCM credentials at rest
Availability — Recovery
Failed syncs retry with backoff; final state observable to admins
Information transfer policies
Defined provider integrations; no ad-hoc transfer paths
Confidentiality agreements
Provider credentials handled per the corresponding provider's DPA
Processor obligations
Customer storage providers act as sub-processors under the customer's DPA
Business Associate contracts
BAA-eligible providers (S3, Azure, Google Workspace) supported under your existing BAA
For compliance teams
Questions you do not need to call to ask
What happens if my storage provider is down at sealing time?
Where do customer cloud credentials live?
Do you store a copy in your own infrastructure?
What happens to a file in your storage when we revoke the connector?
Can we use customer-managed keys for the at-rest encryption?
Are sync events captured in the audit log?
Storage that respects the storage you already chose
Sealed documents land where they belong, observably, retried, and on your terms.