BuzstorageBy DOHTECH
Buztransfer
Solutionsarrow_drop_down
Startups
Documentation
Pricing
Support
Login
Getting Started
  • Overview
  • Quick Start
  • Free Trial
  • Buzcredits System
  • Referral System
Categories
  • Buztransfer
  • Video & Streaming
  • Digital Asset Mgmt
  • Developer Experience
  • Security & Infrastructure
SOC 2 Type II Compliant

Uncompromising
Infrastructure Security

Enterprise-grade protection with a security-first mindset. Engineered for trust and compliance across all global regions.

AES-256
Encryption
99.99%
Durability

Identity & Access

Granular access management with support for MFA, SAML, and OIDC. Limit permissions to asset level.

Protocol Verified

Anycast Network

Built on a private anycast network with 100+ edge nodes. Content is delivered via shortest path.

Protocol Verified

Compliance & Audit

Complete audit trail for all data access. Data residency controls to pin assets to specific regions.

Protocol Verified

Dual-Key Authentication

API Integration

Every request to the Buzstorage edge network must be authenticated using a standard Dual-Key pair. This provides an additional layer of cryptographic isolation between your Access ID and your Secret Key.

// Format: Bearer <AccessKeyId>:<SecretAccessKey>
const ACCESS_KEY_ID = 'ak_prod_...'; // Always include the full prefix
const SECRET_KEY = 'sk_prod_...';    // Always include the full prefix

await axios.get('/api/protected/vaults', {
  headers: { 
    'Authorization': `Bearer ${ACCESS_KEY_ID}:${SECRET_KEY}` 
  }
});

Enterprise Security

We periodically rotate internal root keys and enforce TLS 1.3 for all traffic. For high-security environments, IP Network Security can be strictly enforced on a per-app basis via the Console Settings, rejecting any traffic from unauthorized sources.

Critical Security Requirement

Tokens for programmatic access utilize the AccessKeyId:SecretAccessKey composite pattern. Ensure your production IPs are whitelisted in the app dashboard to prevent unauthorized usage.

Enterprise CSRF Protection

Double CSRF Pattern

We implement the Synchronizer Token Pattern using double-signed HMAC tokens. Every non-idempotent request (POST, PUT, DELETE) must include a valid x-csrf-token header.

Session Integration

Tokens are logically bound to your secure session ID and optionally verified for high-security across environments.

Token Handshake

Clients must first retrieve a cryptographic shell from our public security endpoint before performing state-changing operations.

// 1. Fetch the CSRF token from the public endpoint
const { data } = await axios.get('/api/public/csrf-token');
const csrfToken = data.xcsrftoken;

// 2. Pass the token in the x-csrf-token header for POST/PUT/DELETE
await axios.post('/api/upload', formData, {
  headers: { 'x-csrf-token': csrfToken }
});

Encryption & Infrastructure

AES-256 At Rest

All sensitive file metadata and private URLs are encrypted using AES-256-CBC with secure, rotating initialization vectors (IVs).

TLS 1.3 In Transit

All production traffic is secured via TLS 1.3 enforced at both the Nginx Proxy Manager layer (ssl_protocols TLSv1.3) and the Node.js server (minVersion constraint). HTTP/3 is advertised and served via Cloudflare's QUIC layer.

Data Fidelity

Atomic file persistence and hashed directory isolation ensure cross-tenant zero-leakage and prevent archival corruption.

IP Network Isolation

Mandatory network locking that restricts API access strictly to authorized IPs. Prevents usage of leaked credentials from unknown sources.

Granular Scopes

vault.read

Allows listing vaults and viewing granular file metadata without download rights.

vault.write

Grants full write, move, and deletion rights within specified organizational units.

token.refresh

Required for renewing short-lived session tokens in high-security workflows.

admin.full

Root administrative access including billing, IAM, and infrastructure policy.

Public & Private Visibility

File & Folder Visibility Flags

Every file and folder in Buzstorage carries a visibility flag that is either public or private. This flag is enforced at the infrastructure layer — not just at the application layer — meaning it cannot be bypassed regardless of how a request is formed.

When a folder's visibility is set, all files within it inherit the same flag by default, allowing you to control access for entire directory trees with a single API call.

public

Public Access

Files are accessible via a permanent, shareable CDN URL with no authentication required. Ideal for static assets, marketing media, and open content that needs global delivery.

private

Private Access

Files are fully gated. Access via the public content endpoints returns 403 Forbidden (stream) or 404 Not Found (metadata) unless the requester is the authenticated owner. Private files are served exclusively through the authenticated /protected/content/:fileId endpoint using your full API credentials.

// Upload a file and mark it as publicly accessible
const formData = new FormData();
formData.append('file', fileBlob);
formData.append('visibility', 'public'); // CDN URL returned immediately

const { data } = await axios.post('/public/v1/upload', formData, {
  headers: {
    'Authorization': `Bearer ${ACCESS_KEY_ID}:${SECRET_KEY}`,
    'x-csrf-token': csrfToken,
  }
});

// data.url → permanent, shareable CDN link
console.log(data.url);

Visibility is Enforced Per-Request

There is no caching layer between the client and the file server. Changing a file's visibility from public to private takes effect immediately on the next request — no warm-up period, no stale window. Unauthenticated access is denied instantly.
PreviousSDKs
BuzstorageBy DOHTECH

Distributed enterprise storage engineered for scale. Secure, zero-knowledge architecture for the modern web.

Solutions

Developers

Resources

Company

© 2026 DOHTECH SOLUTIONS GROUP | Buzstorage

PrivacyTermsDeveloper
99.9% Uptime
AES-256 Verified