Compliance
SEC 17a-4
Immutable storage meets SEC requirements for electronic records
SOX Compliance
Audit trails and access controls for financial data
Data Security
Encryption
| State | Method |
|---|---|
| In Transit | TLS 1.3 (HTTPS only) |
| At Rest | AES-256 (GCS default) |
Immutable Storage
Documents are stored with Object Retention Lock (WORM mode):- Cannot be deleted during retention period
- Cannot be modified after upload
- Automatic deletion after retention expires
- Full audit trail of all access
Tenant Isolation
Row-Level Security (RLS)
All data is isolated at the database level using PostgreSQL RLS:API Key Scoping
Each API key is tied to a specific tenant:- Keys can only access their tenant’s data
- Cross-tenant requests return
404 Not Found(not403 Forbidden) - This prevents information leakage about other tenants
Authentication
API Key Security
| Feature | Implementation |
|---|---|
| Format | dk_live_ or dk_test_ prefix + 43-char token |
| Storage | Bcrypt hashed (never stored in plaintext) |
| Shown | Only once at creation |
| Validation | Constant-time comparison |
Best Practices
Store keys in environment variables or secret managers
Use separate keys per environment
Rotate keys regularly
Never commit keys to version control
Webhook Security
HMAC Signatures
All webhooks include HMAC-SHA256 signatures:Infrastructure Security
Google Cloud Platform
DocIntell runs on GCP with:- VPC network isolation
- Cloud Armor DDoS protection
- Cloud IAM access controls
- Cloud Audit Logs
- Automatic security patching
Container Security
- Non-root container execution
- Vulnerability scanning in CI/CD
- Minimal base images
- No secrets in environment variables
Vulnerability Reporting
Found a security issue? Please report it responsibly:- Email: security@docintell.com
- We respond within 24 hours
- We do not pursue legal action for good-faith reports
Certifications
DocIntell is pursuing SOC 2 Type II certification. Contact us for our current security documentation.