Security Policy

Last updated: February 16, 2026

Security is a core priority at Doc Custodian. This policy outlines the technical and organizational measures we implement to protect your data and maintain the integrity of our Service.

1. Infrastructure Security

1.1 Cloud Platform

Our Service is hosted on Microsoft Azure, which provides enterprise-grade physical security, network security, and compliance certifications. Azure data centers feature:

  • 24/7 physical security with biometric access controls
  • Redundant power, cooling, and networking systems
  • SOC 1, SOC 2, ISO 27001, ISO 27018, and other compliance certifications
  • Geographic redundancy for disaster recovery

1.2 Network Security

  • All external traffic is encrypted with TLS 1.2+
  • Web Application Firewall (WAF) protection against common attack vectors
  • DDoS protection at the infrastructure level
  • Network segmentation between services

2. Application Security

2.1 Authentication

  • OAuth 2.0 and OpenID Connect via established identity providers (Google, Microsoft, Auth0)
  • No passwords stored — all authentication delegated to trusted identity providers
  • Signed JWT session tokens with secure, HTTP-only cookie storage
  • Automatic session expiration and renewal

2.2 Authorization

  • Workspace-based multi-tenant isolation with row-level security
  • Role-based access control (admin and member roles)
  • Server-side authorization checks on every API request
  • Workspace membership verification before granting access to any resource

2.3 Input Validation

  • All user inputs are validated and sanitized server-side before processing
  • Centralized input validation framework with defined limits for all fields
  • Protection against SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities
  • File type and size validation on all uploads

2.4 API Security

  • All API endpoints require authentication
  • Rate limiting and request throttling
  • Request size limits to prevent abuse
  • Comprehensive server-side error logging (errors are never exposed to clients)

3. Data Encryption

  • At Rest: AES-256 encryption for all stored data including documents, database records, and backups
  • In Transit: TLS 1.2+ for all data transmission between clients, servers, and third-party services
  • Key Management: Encryption keys are managed through Azure Key Vault with regular rotation policies

4. Document Security

  • Storage Isolation: Documents are stored in workspace-specific containers with access controls
  • Version Control: Document versioning with complete audit trail of changes (Team and Enterprise plans)
  • Secure URLs: Document access URLs are time-limited and scoped to authenticated users
  • Extraction Security: Documents sent for AI extraction are processed in isolated sessions and not retained by processing services

5. Monitoring and Logging

  • Comprehensive logging of all API requests and administrative actions
  • Activity audit trails for document operations within workspaces
  • Automated alerting for suspicious activity patterns
  • Log retention for security analysis and incident investigation

6. Incident Response

Our incident response process includes:

  1. Detection: Automated monitoring and alerting systems identify potential security incidents.
  2. Containment: Immediate steps to isolate and contain the incident to prevent further impact.
  3. Investigation: Thorough analysis to determine the scope, cause, and impact of the incident.
  4. Notification: Affected users are notified within 72 hours of confirming a data breach, in accordance with applicable laws.
  5. Remediation: Implementation of fixes and improvements to prevent recurrence.
  6. Post-Incident Review: Documentation and review to strengthen our security posture.

7. Vulnerability Management

  • Regular dependency updates and security patching
  • Automated vulnerability scanning of application dependencies
  • Secure development practices with code review requirements
  • Third-party security assessments as appropriate

8. Business Continuity

  • Backups: Automated daily backups with geographic redundancy
  • Recovery: Defined recovery time and recovery point objectives
  • Redundancy: Multi-region deployment capability for high availability
  • Testing: Regular testing of backup and recovery procedures

9. Responsible Disclosure

We welcome responsible security research. If you discover a security vulnerability in our Service, please report it to us privately:

Please provide sufficient detail for us to reproduce and address the issue. We commit to acknowledging receipt within 48 hours and providing a timeline for resolution. We will not pursue legal action against researchers who report vulnerabilities in good faith and do not access or modify other users' data.

10. Employee Security

  • All team members with system access undergo security awareness training
  • Production access requires multi-factor authentication and follows least-privilege principles
  • Access is reviewed regularly and revoked promptly upon role changes or departure

11. Contact Us

For security questions, concerns, or to report a vulnerability: