> ## Documentation Index
> Fetch the complete documentation index at: https://docs.docintell.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Security architecture and compliance

DocIntell is built with security and compliance as core principles.

## Compliance

<CardGroup cols={2}>
  <Card title="SEC 17a-4" icon="shield-check">
    Immutable storage meets SEC requirements for electronic records
  </Card>

  <Card title="SOX Compliance" icon="building-columns">
    Audit trails and access controls for financial data
  </Card>
</CardGroup>

## Data Security

### Encryption

| State          | Method                |
| -------------- | --------------------- |
| **In Transit** | TLS 1.3 (HTTPS only)  |
| **At Rest**    | AES-256 (GCS default) |

### Immutable Storage

Documents are stored with **Object Retention Lock** (WORM mode):

* Cannot be deleted during retention period
* Cannot be modified after upload
* Automatic deletion after retention expires
* Full audit trail of all access

## Tenant Isolation

### Row-Level Security (RLS)

All data is isolated at the database level using PostgreSQL RLS:

```sql theme={null}
-- Enforced at database level
SELECT * FROM documents
WHERE tenant_id = current_setting('app.tenant_id')
```

Even if application logic has a bug, the database prevents cross-tenant access.

### API Key Scoping

Each API key is tied to a specific tenant:

* Keys can only access their tenant's data
* Cross-tenant requests return `404 Not Found` (not `403 Forbidden`)
* This prevents information leakage about other tenants

## Authentication

### API Key Security

| Feature    | Implementation                                  |
| ---------- | ----------------------------------------------- |
| Format     | `dk_live_` or `dk_test_` prefix + 43-char token |
| Storage    | Bcrypt hashed (never stored in plaintext)       |
| Shown      | Only once at creation                           |
| Validation | Constant-time comparison                        |

### Best Practices

<Check>Store keys in environment variables or secret managers</Check>
<Check>Use separate keys per environment</Check>
<Check>Rotate keys regularly</Check>
<Check>Never commit keys to version control</Check>

## Webhook Security

### HMAC Signatures

All webhooks include HMAC-SHA256 signatures:

```http theme={null}
X-DocIntell-Signature: sha256=abc123...
```

Always verify signatures before processing:

```python theme={null}
import hmac
import hashlib

def verify_signature(payload, signature, secret):
    expected = "sha256=" + hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)
```

## Infrastructure Security

### Google Cloud Platform

DocIntell runs on GCP with:

* VPC network isolation
* Cloud Armor DDoS protection
* Cloud IAM access controls
* Cloud Audit Logs
* Automatic security patching

### Container Security

* Non-root container execution
* Vulnerability scanning in CI/CD
* Minimal base images
* No secrets in environment variables

## Vulnerability Reporting

Found a security issue? Please report it responsibly:

* Email: [security@docintell.com](mailto:security@docintell.com)
* We respond within 24 hours
* We do not pursue legal action for good-faith reports

## Certifications

<Info>
  DocIntell is pursuing SOC 2 Type II certification. Contact us for our current security documentation.
</Info>
