Security Policy

Last updated: January 2026

1. Data Encryption

All data transmitted to and from DocFlow is encrypted in transit using Transport Layer Security (TLS 1.3/HTTPS). Data at rest, including database backups and media storage, is encrypted using Advanced Encryption Standard (AES-256).

2. Infrastructure Security

Our services are hosted on enterprise-grade cloud providers (Supabase, Vercel, and Clerk) with physical access controls, firewalls, and continuous network monitoring. Database connections utilize secure connection pooling and isolated VPC configurations.

3. Authentication & Access Control

User authentication is securely managed via Clerk, supporting multi-factor authentication (MFA) and single-sign-on (SSO). We enforce role-based access control (RBAC) to ensure that users only access documents scoped to their authorized organization.

4. QR Code & Cryptographic Verification

Every generated document contains a unique cryptographic ID embedded in a QR code. Verification logs trace verification attempts, enabling absolute authenticity checks while keeping recipient personal data protected.

5. Incident Response

We maintain active security logging and automated error alert thresholds. In the event of a suspected data breach, we follow a strict incident response policy to notify affected organizations and regulatory bodies within 72 hours.