Security Policy
Last updated: January 2026
1. Data Encryption
All data transmitted to and from DocFlow is encrypted in transit using Transport Layer Security (TLS 1.3/HTTPS). Data at rest, including database backups and media storage, is encrypted using Advanced Encryption Standard (AES-256).
2. Infrastructure Security
Our services are hosted on enterprise-grade cloud providers (Supabase, Vercel, and Clerk) with physical access controls, firewalls, and continuous network monitoring. Database connections utilize secure connection pooling and isolated VPC configurations.
3. Authentication & Access Control
User authentication is securely managed via Clerk, supporting multi-factor authentication (MFA) and single-sign-on (SSO). We enforce role-based access control (RBAC) to ensure that users only access documents scoped to their authorized organization.
4. QR Code & Cryptographic Verification
Every generated document contains a unique cryptographic ID embedded in a QR code. Verification logs trace verification attempts, enabling absolute authenticity checks while keeping recipient personal data protected.
5. Incident Response
We maintain active security logging and automated error alert thresholds. In the event of a suspected data breach, we follow a strict incident response policy to notify affected organizations and regulatory bodies within 72 hours.