Hi team,

I noticed that when we download a client report for agenesis or our sub accounts, the link looks like this:

The problem is that this link has no login or expiry on it. Anyone who has the link or who figures out the pattern can download the file with no authentication.

⚠️A basic script could cycle through thousands of link variations and pull other agencies' client lists. 😱 This is a real risk. These files contain our clients' personal data, and if someone gets hold of them it could be a serious privacy breach for every agency on the platform.

Please look into adding proper access control to these download links — whether that's making them expire, requiring a login, or both.

Thanks for taking this seriously.