Security

Your data security is our top priority

Security Overview

At Docutee, we implement comprehensive security measures to protect your sensitive business documents and data. Our security architecture is designed with defense-in-depth principles, ensuring multiple layers of protection for your information.

Data Encryption

Encryption in Transit

  • All data transmitted between your browser and our servers uses TLS 1.3 encryption
  • API communications are secured with HTTPS protocols
  • Email connections use TLS/SSL encryption when connecting to email providers
  • Minimum 256-bit encryption for all data transfers

Encryption at Rest

  • Documents and attachments are encrypted using AES-256 encryption
  • Database encryption for all stored data
  • Encrypted backups with separate encryption keys
  • Secure key management using AWS Key Management Service (KMS)

Infrastructure Security

Cloud Infrastructure

  • Hosted on Amazon Web Services (AWS) with enterprise-grade security
  • Data centers located in the European Union for GDPR compliance
  • Redundant infrastructure with automatic failover capabilities
  • Regular security patches and updates

Network Security

  • Web Application Firewall (WAF) protection
  • DDoS protection and mitigation
  • Network isolation and segmentation
  • Regular vulnerability scanning and penetration testing
  • Intrusion detection and prevention systems

Email Security Options

Flexible Access Methods

  • Direct integration with OAuth 2.0 for Gmail and Outlook (no password storage)
  • Secure IMAP connections with encrypted credential storage
  • Email forwarding option - No credentials needed, just forward specific emails to your unique Docutee address
  • Each project gets a unique forwarding address for better organization
  • SPF, DKIM, and DMARC validation for forwarded emails

Access Control

Authentication

  • Secure password requirements (minimum 8 characters, complexity rules)
  • Password hashing using bcrypt with salt
  • JWT tokens with short expiration times
  • Secure session management
  • Account lockout after multiple failed login attempts

Authorization

  • Role-based access control (RBAC)
  • Project-level permissions and isolation
  • Team member access management
  • API key authentication for integrations
  • Audit logs for all access and modifications

Application Security

Security Practices

  • Secure software development lifecycle (SSDLC)
  • Regular code reviews and security audits
  • Dependency scanning for vulnerabilities
  • Input validation and sanitization
  • Protection against OWASP Top 10 vulnerabilities

Specific Protections

  • SQL injection prevention
  • Cross-Site Scripting (XSS) protection
  • Cross-Site Request Forgery (CSRF) tokens
  • Content Security Policy (CSP) headers
  • Rate limiting to prevent abuse

Data Privacy and Isolation

Data Isolation

  • Complete data isolation between different customers
  • Project-level data segregation
  • No shared encryption keys between accounts
  • Separate storage containers for each organization

Data Processing

  • AI processing uses ephemeral instances
  • No training on customer data
  • Temporary data is securely deleted after processing
  • Secure handling of password-protected documents

Compliance and Certifications

Regulatory Compliance

  • GDPR compliant (General Data Protection Regulation)
  • Data processing agreements available
  • Regular compliance audits
  • Privacy by design principles

Industry Standards

  • Following ISO 27001 best practices
  • OWASP security guidelines
  • Regular third-party security assessments

Operational Security

Monitoring and Logging

  • 24/7 system monitoring
  • Real-time security alerts
  • Comprehensive audit logging
  • Log retention for security analysis
  • Anomaly detection systems

Incident Response

  • Documented incident response plan
  • Security incident response team
  • Notification procedures for data breaches
  • Regular incident response drills

Business Continuity

Backup and Recovery

  • Automated daily backups
  • Geographically distributed backup storage
  • Point-in-time recovery capabilities
  • Regular backup restoration testing
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

High Availability

  • Redundant infrastructure components
  • Load balancing across multiple servers
  • Automatic failover mechanisms
  • 99.9% uptime SLA for Business and Enterprise plans

User Security Best Practices

We recommend users follow these security best practices:

  • Use strong, unique passwords for your account
  • Enable two-factor authentication when available
  • Regularly review team member access
  • Keep your email account secure
  • Report any suspicious activity immediately
  • Log out when using shared computers
  • Keep your browser and operating system updated

Third-Party Security

Service Providers

We carefully select third-party service providers based on their security practices:

  • AWS: Enterprise-grade cloud infrastructure with industry-leading security practices
  • Stripe: PCI DSS Level 1 certified payment processing
  • OpenAI: Enterprise agreement with data processing terms

Security Updates

We continuously improve our security measures:

  • Regular security patches and updates
  • Monitoring of emerging threats
  • Security advisory notifications
  • Transparent communication about security incidents

Reporting Security Issues

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

Email: [email protected]
PGP Key: Available upon request

We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly.

Questions?

If you have questions about our security practices, please contact us at [email protected]