Document Storage

There is no "Documents" folder in SecureCare you can drop a file into. Every upload is anchored to a specific record — the customer it belongs to, the case it's part of, the staff member it's about, the message it was attached to, the facility it documents. The absence of orphan storage is the design: when the record matters, the document is with it; when the record is archived, the document follows. No mystery files, no abandoned drives, no folders nobody remembers naming.

Every file is encrypted on disk with a per-record salt and a database-managed key — no two documents share the same encryption material. Files are transmitted over TLS during upload and download. The encryption is invisible to staff — uploads, viewing, and downloads work like any modern web app — but the underlying file on disk is unreadable without the platform's decryption pipeline.

Each staff-uploaded document is marked public or private. Public documents on a customer, volunteer, or donor record are visible to the person the record belongs to through the patron portal — they can view their own intake forms, signed agreements, and shared paperwork. Private documents are staff-only — clinical observations, internal notes, anything attached to the record but not for the record's owner. The platform enforces the line on every search and every download, in the database query itself.

Every document opens in a built-in viewer in the browser — PDFs, images, Word, Excel, plain text. No download required to read a file; nothing leaves the platform unless the staff member explicitly downloads. For staff handling sensitive records on shared screens, this means the file's contents render where the viewer can't be saved or screen-grabbed by accident through a clumsy download flow.

Search by document name, original filename, file extension, or any tag a staff member added. Filter by upload date, single date, or date range. Narrow by document type — signature documents, message attachments, program-service documents. The platform deliberately does not search inside file contents: encrypted-at-rest documents can't be content-searched without breaking the encryption posture, and SecureCare keeps the encryption posture.

When a customer signs a consent form, treatment agreement, or release through the Signature Documents system, the resulting signed PDF is stored as a Document Storage record on the customer's profile — same encryption, same retention, same access controls. The document is locked from modification once signed; the signed copy is what the platform keeps, alongside the audit trail.

HIPAA requires that healthcare-related records be retained for a minimum period after creation or last activity, regardless of whether the record is still in active use. SecureCare honors this by retaining every document — even ones a staff member has "deleted" — for the full retention window. Deleted documents disappear from the UI, no longer count against active record views, and cannot be retrieved through the application; but the underlying file is preserved per the regulation.

After ten years past deletion, a document is eligible to be permanently purged from disk and database. SecureCare gives organization administrators a one-click purge tool that hard-deletes every document past the retention window in one job, frees the storage back to the organization's allocation, and records a permanent audit trail of what was purged and when. The purge is the only path that physically removes a file — everything else is soft delete with retention. Most platforms in this category never give you back the storage; SecureCare does, on the schedule the regulation allows.

Every plan includes a base storage allocation. The dashboard shows current usage, with warnings as the allocation fills. Additional storage is available per terabyte per year, priced linearly — no enterprise-tier mark-up, no "contact sales for pricing." The cost is published; you pay for what you use.