Random report link
Each report uses a long random report ID, rather than a public page name or predictable file path.
Secure report delivery
DBX ONE is designed around secure report links, one-time passcodes and private file storage, so consumables invoice reports can be shared without making the report publicly accessible.
Report access flow
How reports are protected
A long random link is not treated as enough on its own. DBX ONE’s report flow is designed so the recipient also needs a one-time passcode sent to the practice email before the report can be viewed.
Each report uses a long random report ID, rather than a public page name or predictable file path.
The practice enters a code sent to the practice email address before the report viewer opens.
Reports, Excel files, PDF summaries and evidence files are intended to sit in private storage, not public website folders.
Report links can expire, so old links do not remain open indefinitely.
Report access can be logged for review, including when a report was opened and whether a passcode was verified.
Practices can request a correction or improvement from inside the report, rather than emailing loose notes around.
MVP architecture
The report can still be a beautiful HTML dashboard, but it should be served through controlled access rather than attached as a random public file.
| Part | Role |
|---|---|
| dbxone.co.uk | Main marketing website and upload route. |
| reports.dbxone.co.uk | Secure report viewer and passcode flow. |
| Cloudflare Pages | Hosts the report front-end and static pages. |
| Cloudflare Workers / Pages Functions | Handles passcode checks, secure downloads, report sessions and request-change forms. |
| Cloudflare R2 | Private file storage for source invoices, generated reports, Excel files and PDF summaries. |
| Database | Stores report ID, hashed token, client email, expiry date, access log and deletion date. |
Retention
Retention periods should be agreed and documented. The exact period may depend on the practice’s instructions and whether it continues with monthly reporting.
Suggested starting point: delete raw invoices after 30 days unless the practice asks otherwise or continues to a paid plan.
Keep structured report data while subscribed, so month-to-month comparison and recurring issue tracking can work.
Export or delete report data within the agreed period after cancellation, subject to any legal or dispute-related retention need.
Important
This page describes the DBX ONE secure report delivery direction. For each live report, DBX ONE confirms the delivery method before processing. Secure report links require configured storage, database, email-code and access-control settings; reports are accessed through the hosted private report flow.