US visitor Some of our content is UK-flavored. USD pricing, US data region and Delaware C-Corp diligence are all supported. See the US guide →

Beamprobe Beamprobe v1.0
Start free
Security & residency

Data room security, encrypted by default.

Beamprobe is a UK virtual data room with security built in. Every document AES-256 encrypted before it touches storage. Hosted in the EU. Email through an EU endpoint. Our DPA is on the website, not behind a sales call.

GDPR-clean UK ICO registration in progress DPA on request
Documents at rest
Cloudflare R2 (EU)
EU jurisdiction · AES-256-CBC envelope encryption · per-file random key, S/MIME-wrapped
Application
EU region
Postgres in EU · daily snapshot · TLS 1.2+ everywhere
Email delivery
EU endpoint
DKIM, SPF, DMARC out of the box
Erasure SLA
≤ 30 days
Or sooner on written request
beamprobe.com/status - live 99.98% · last 90d
In detail

How we protect your data.

EU data residency

Documents stored in Cloudflare R2 EU jurisdiction. Application and Postgres in EU. Operating under UK GDPR, ICO registration in progress. Data never leaves the UK or EEA.

Encryption at rest - envelope, app-managed

Every document is AES-256-CBC encrypted with a unique 2048-byte random password before it is written to storage. The password itself is encrypted with S/MIME (AES-256) using a 4096-bit RSA public certificate. The matching private key is held only by the Beamprobe application servers and required to decrypt anything. R2 sees only ciphertext.

Honest limit: this is encryption at rest with app-managed keys, not end-to-end encryption - our servers can decrypt your documents in order to render them. Customer-held keys (BYOK) are on the Enterprise roadmap.

Encryption in transit

All traffic TLS 1.2+. Database backups encrypted. Storage signed URLs are short-lived.

Access controls

Every link a unique cryptographic token. Links can be disabled, expired, password-protected. NDA-gating captures name, email, IP, timestamp before access. View counts and expiry enforced server-side.

Authentication

Passwords hashed with bcrypt (cost 12). Google OAuth supported. Email verification required before account activation. Reset tokens expire after 1 hour.

GDPR compliance

Right-to-erasure endpoint removes all personal data, documents, analytics. NDA records retained for legally required period, then purged. We never sell your data.

Bot filtering

Email security scanners follow links to scan for malware - inflating analytics. Beamprobe detects bots by user-agent and excludes them from view data automatically.

Security questions for due diligence?

Email [email protected]

Responsible disclosure

Reporting a security issue.

We welcome reports of genuine security issues that affect the confidentiality, integrity, or availability of customer data.

How to report

Email [email protected] with:

  • The specific URL or endpoint affected
  • A clear, reproducible proof of concept (curl request, screenshots, or video)
  • Your assessment of impact, with CVSS where relevant
  • Your suggested remediation

What we will do

Acknowledge your report within 5 working days. Investigate, fix valid issues, and credit you publicly on this page if you wish. We do not operate a paid bug bounty programme and do not offer monetary or gift-card rewards. Reports asking for payment will be declined and not actioned.

Out of scope

  • Missing or recommended security headers (CSP, HSTS, Permissions-Policy) where no concrete exploit is demonstrated
  • SPF, DKIM, DMARC, or other email configuration issues without proof of practical impact
  • Self-XSS and issues only reproducible with social engineering
  • Rate limiting on non-sensitive endpoints
  • Clickjacking on pages without authenticated state changes
  • Reports of public information (robots.txt, sitemap.xml, llms.txt, llms-full.txt) as "data leaks"
  • Automated scanner output without manual validation
  • Use of outdated open-source library versions without a demonstrated exploit on our deployment
  • Issues in third-party services we depend on (Stripe, Cloudflare, etc.)

Rules of engagement

  • Do not access, modify, or destroy data that is not yours
  • Do not run automated denial-of-service or load tests
  • Do not disclose publicly before we have shipped a fix
  • Use a clean, throwaway account on the free plan for testing

Researcher acknowledgements

Researchers who have responsibly disclosed valid security issues to Beamprobe:

  • Syed Khurram Shoaib · May 2026 · session invalidation, input validation, TLS configuration
  • Syed Wahab Shah · May 2026 · session invalidation, input validation, TLS configuration

Beamprobe is at an early stage and does not yet operate a public bug bounty programme. This may change as the company grows.

FAQ

Security and compliance.

Where is my data stored?

Cloudflare R2 with EU jurisdiction. Every document is AES-256 envelope-encrypted before it touches storage. Data never moves outside UK or EEA.

Is Beamprobe UK GDPR compliant?

Yes. Beamprobe has ICO registration in progress and signs a DPA with every paid customer, encrypts data in transit (TLS 1.3) and at rest (AES-256), and supports the right to erasure within 30 days of request. UK GDPR Articles 5, 28, 32, 33 are addressed by default.

Does Beamprobe use any US sub-processors?

No US sub-processors for storage. Storage is Cloudflare R2 in the EU jurisdiction. Email is delivered through an EU endpoint. Stripe is the payment processor and handles card data outside our infrastructure.

How does Beamprobe handle a data breach?

ICO breach notification within 72 hours per UK GDPR Article 33. Affected customers notified directly. Beamprobe runs structured logging, anomaly alerting, and a documented incident response plan.

Can I delete all my data?

Yes. Request GDPR deletion from your account. Beamprobe purges all documents, encryption keys, page assets, and account data from R2 and Postgres within 30 days. NDA acceptance records are retained for 6 years per UK statute, anonymised.