Docusift
Sign inStart free
Procurement

Vendor security questionnaire

The most-asked CAIQ Lite and SIG Lite questions in one place so a procurement review can clear Docusift without scheduling a call. Last reviewed: June 10, 2026. For anything you need that is not here, email hello@docusift.co.

Company & legal

  • Legal entity: Ekarche Private Limited, Mathura, Uttar Pradesh 281502, India (CIN U58200UW2026PTC253262, GSTIN 09AAJCE7033P1Z1).
  • Merchant of Record for subscription billing: Dodo Payments. Dodo is the seller of record on customer invoices and collects + remits applicable taxes in your jurisdiction. Your accounts-payable entity should be Dodo Payments, not Ekarche Private Limited, for subscription invoices.
  • Product name: Docusift.
  • DPA, sub-processor list, SCCs: available at /dpa and /subprocessors.

Hosting & residency

  • Primary region: AWS us-east-1.
  • EU and India region available for Enterprise — see /data-residency.
  • Backups stay in-region; no cross-region replication.

Encryption

  • At rest: AWS-managed AES-256 on every bucket and database volume.
  • In transit: TLS 1.2/1.3 with HSTS preload. Strict ciphers; no SSLv3, no TLS 1.0, no TLS 1.1.
  • Application-layer envelope encryption for sensitive tenant-managed secrets (SSO client_secret, integration credentials).

Authentication

  • Passwords hashed with argon2id; legacy scrypt hashes are transparently upgraded on next login.
  • TOTP MFA available on every account. Recovery codes generated at enrollment.
  • SAML / OIDC SSO for Enterprise.
  • Bearer JWT for API access; sessions are revocable; refresh tokens rotate.

Authorisation & tenant isolation

  • Every entity carries a tenant_id.
  • Every API route runs a tenant-scoped query; cross-tenant access returns 404, never 403.
  • Test suite includes a wrong-tenant assertion sweep across every entity CRUD route family.

Audit log

  • Every CREATE / UPDATE / DELETE on every entity writes an audit row with actor, before/after values, and timestamp.
  • Audit log is queryable from the in-app Settings > Audit tab.
  • Retention: lifetime of the tenant, purged on tenant deletion.

Incident response

  • Workspace admin notified by email within 72 hours of confirmed personal data breach affecting their data.
  • Regulators notified where required (Data Protection Board of India, EU/UK supervisory authority).
  • Incident commander on rotation; post-incident review published to the workspace admin within 30 days.

Resilience

  • RPO 5 minutes (database PITR).
  • RTO 4 hours documented in the runbook; quarterly tabletop.
  • S3 eleven-nines durability; versioning on.

Retention

  • Per-data-category schedule published in the privacy policy.
  • Documents tenant-configurable; default 365 days.
  • Audit logs lifetime-of-tenant.

Compliance posture

  • DPDP-2023 disclosure: /dpdp.
  • GDPR Art 12-22 honoured for EU/UK data subjects.
  • CCPA / CPRA: applicable rights honoured.
  • SOC 2 Type II / ISO 27001 attestations are in scope for 2027; current controls mapped to the SOC 2 trust criteria are documented internally and shareable under NDA.