Responsible disclosure
If you believe you’ve found a security vulnerability in DocuSift, please report it to security@docusift.co. We acknowledge reports within 2 business days and provide a substantive response within 7 business days.
Please don’t exploit the vulnerability beyond what’s necessary to demonstrate the issue, don’t access customer data that isn’t yours, and give us a reasonable window to remediate before public disclosure. We do not currently run a paid bug-bounty program, but we are happy to credit researchers publicly with their permission.
How we protect customer data
Encryption
- In transit: all traffic is encrypted with modern TLS. HSTS is enforced in production.
- At rest: customer documents and extracted data are encrypted at rest. Sensitive secrets and credentials get an additional application-layer encryption key.
- Webhooks: outbound webhooks are signed so your endpoint can verify they came from us and weren’t altered in flight.
Tenant isolation
- Every request is scoped to the calling tenant. Cross-tenant access is prevented at the data layer.
- API keys are tenant-scoped — a key from one tenant cannot read another tenant’s data.
- Dedicated infrastructure and bring-your-own storage are available on Enterprise.
Authentication
- Multi-factor authentication is available on every account and can be required for sensitive actions.
- Single sign-on is available for Enterprise customers, with per-tenant identity-provider configuration.
- Sessions are revocable; users can review and revoke active sessions from their profile.
Privacy
- We do not train AI models on your documents. Inference runs against approved providers under contractual zero-retention terms.
- Data export and account deletion are self-service. See our privacy policy for details.
Subprocessors
DocuSift uses subprocessors in the categories below. Customers are notified at least 30 days in advance of any new subprocessor that processes their documents or extracted data.
| Category | Purpose |
|---|
| Cloud infrastructure | Compute, managed database, and object storage that power the service. |
| AI inference | Document understanding and structured-data extraction. Enterprise tenants can route inference to dedicated or self-hosted environments. |
| Email delivery | Transactional emails — sign-in, alerts, billing receipts. |
| Payment processing | Billing data only. Payment processors never receive customer documents or extracted content. |
The current named subprocessor register is available under DPA — email security@docusift.co to request it. Customer-initiated integrations (e.g. QuickBooks, Xero) are not subprocessors of DocuSift in the GDPR sense — the customer is the data exporter; we are the data sender on the customer’s behalf.
Security & compliance posture
We design and operate against widely-accepted security frameworks and care deeply about getting this right. We are not yet third-party audited; formal attestation is on our roadmap. In the meantime, we’re happy to walk customers through our controls and complete security questionnaires under NDA.
- GDPR: data export and deletion are self-service. EU data residency is available on Enterprise plans.
- HIPAA: not currently in scope. Reach out if your use case requires a BAA — we evaluate case by case.
Contact
Security questions, vulnerability reports, or DPA requests: security@docusift.co.
Our public security disclosure file is at /.well-known/security.txt (RFC 9116).
