Signed URLs and secure storage
How Forest stores your contract documents and controls access to them through short-lived signed URLs.
Last updated June 1, 2026
Contracts contain sensitive commercial terms, so Forest treats the documents themselves with the same care as the rest of your data. This page explains where uploaded files live and how access to them is controlled.
Where documents are stored
When you upload a contract, the file is stored in secure object storage rather than embedded in the record you see on screen. The record holds the metadata, such as vendor, term, and value, while the document sits behind access controls. This separation means everyday work with contract data does not expose the underlying file.
How signed URLs work
Access to a stored document happens through a signed URL. A signed URL is a temporary, single-purpose link that grants access to one file for a short window, then expires. Instead of a permanent public address that anyone could reuse, each request generates a fresh link scoped to the person asking and the moment they ask.
The practical effect:
Links are short-lived, so a URL copied from a browser or email cannot be replayed later.
Access is tied to your session, not to the file having an open address.
Documents are never exposed through a guessable or permanent path.
If you share a contract link with a colleague, it will stop working once it expires. Have them open the document from within Forest so a new signed URL is issued for their session.
This model keeps contract files private while still letting authorized people retrieve them when they need to. Once your documents are stored, the next step is connecting them to the rest of your environment. See Linking contracts to vendors and tools.