Secure report delivery

Reports should not just be public files.

DBX ONE is designed around secure report links, one-time passcodes and private file storage, so consumables invoice reports can be shared without making the report publicly accessible.

Report access flow

  1. 1 Practice receives secure report link
  2. 2 One-time passcode sent to practice email
  3. 3 Report opens in a secure viewer
  4. 4 Downloads and change requests use protected endpoints

How reports are protected

Secure link plus one-time passcode.

A long random link is not treated as enough on its own. DBX ONE’s report flow is designed so the recipient also needs a one-time passcode sent to the practice email before the report can be viewed.

Random report link

Each report uses a long random report ID, rather than a public page name or predictable file path.

One-time passcode

The practice enters a code sent to the practice email address before the report viewer opens.

Private storage

Reports, Excel files, PDF summaries and evidence files are intended to sit in private storage, not public website folders.

Expiry date

Report links can expire, so old links do not remain open indefinitely.

Access log

Report access can be logged for review, including when a report was opened and whether a passcode was verified.

Request changes

Practices can request a correction or improvement from inside the report, rather than emailing loose notes around.

MVP architecture

Built for secure HTML reports.

The report can still be a beautiful HTML dashboard, but it should be served through controlled access rather than attached as a random public file.

PartRole
dbxone.co.ukMain marketing website and upload route.
reports.dbxone.co.ukSecure report viewer and passcode flow.
Cloudflare PagesHosts the report front-end and static pages.
Cloudflare Workers / Pages FunctionsHandles passcode checks, secure downloads, report sessions and request-change forms.
Cloudflare R2Private file storage for source invoices, generated reports, Excel files and PDF summaries.
DatabaseStores report ID, hashed token, client email, expiry date, access log and deletion date.

Retention

Reports should not stay open forever.

Retention periods should be agreed and documented. The exact period may depend on the practice’s instructions and whether it continues with monthly reporting.

Free first report

Suggested starting point: delete raw invoices after 30 days unless the practice asks otherwise or continues to a paid plan.

Monthly plans

Keep structured report data while subscribed, so month-to-month comparison and recurring issue tracking can work.

Cancelled client

Export or delete report data within the agreed period after cancellation, subject to any legal or dispute-related retention need.

Important

Security needs the backend configured.

This page describes the DBX ONE secure report delivery direction. For each live report, DBX ONE confirms the delivery method before processing. Secure report links require configured storage, database, email-code and access-control settings; reports are accessed through the hosted private report flow.

Read terms