Encrypted document storage for SMBs. Built from zero to $500k ARR in year one — with 99.9% uptime across the whole run.
* Client name and identifying details changed to protect confidentiality.
Small and mid-sized businesses handle sensitive documents every day — contracts, NDAs, HR files, financial records — and most store them in whatever the team is already using. Google Drive with a shared password. Dropbox Business with no audit trail. Email attachments from 2017.
Vaultbox's founder had spent 8 years in enterprise compliance and watched companies fail audits over document handling they didn't even know was a problem. The thesis: build the security posture of an enterprise document vault at a price point an SMB could actually afford, with an interface that didn't require a dedicated IT admin to operate.
They came to us with a clear product vision, a compliance requirements doc, and no engineering team. The clock was ticking — a key enterprise pilot customer had given them a 4-month window to show a production product or walk.
"We had one shot at this pilot. I needed a team that understood what 'production-ready' actually meant for a security product, not just something that looked finished."
— Founder, VaultboxEvery document is encrypted client-side before it leaves the browser using AES-256-GCM, with per-document keys that are themselves encrypted with the user's derived key. Vaultbox's servers never see plaintext — not during upload, not during storage, not during retrieval. We used the WebCrypto API for in-browser operations and a HKDF-based key derivation scheme tied to authentication credentials. The architecture passed a third-party security audit before the pilot started.
Every document access event — view, download, share, edit, delete — is logged to an append-only audit table with user ID, timestamp, IP, and action type. The audit log is tamper-evident via hash chaining and exportable as a signed PDF for compliance reviews. SOC 2 Type I was achieved in month 7 of operations, using the audit trail as the primary evidence artifact.
Document permissions are modeled as capabilities rather than simple read/write flags — giving teams fine-grained control over who can view, download, re-share, or comment on each document. Time-limited share links with optional password and download restrictions were a feature that came directly from the compliance requirements doc and immediately became the most-used feature after launch.
Stripe integration for per-seat SaaS billing, including trials, plan upgrades, and usage-based overages for storage. The billing dashboard gives admins real-time visibility into storage consumption and seat usage. The self-serve upgrade path was a deliberate design choice — no sales call required to go from free trial to paid.
The pilot customer signed a contract before the 4-month window closed. By month 12, Vaultbox had 87 paying accounts, an NPS of 71, and $500k ARR. The security architecture has had zero breaches or incidents since launch — not a small thing for a product in this category.
"We passed our SOC 2 audit in month 7. The auditor said our evidence package was the cleanest they'd seen from a first-time submission. That was entirely down to the architecture NextDay built."
— Founder, Vaultbox