DocsFlow - Turn Documents Into Instant Answers

Security Addendum

Effective date: April 21, 2026

This Security Addendum describes the administrative, technical, and physical safeguards that DocsFlow maintains to protect Customer Content. It is part of the Terms of Service and DPA, and is designed to help customers meet their own obligations under frameworks such as the GLBA Safeguards Rule (16 C.F.R. Part 314), IRS Publication 4557, the ABA Model Rules, and GDPR Article 32.

For a plain-language overview, see the Security & Privacy page.

1. Information security program

We maintain a written information security program with designated personnel responsible for its implementation, periodic risk assessment, and continuous improvement. Our program is designed to:

  • Ensure the confidentiality, integrity, and availability of Customer Content.
  • Protect against reasonably anticipated threats and hazards.
  • Protect against unauthorized access, use, disclosure, alteration, or destruction.
  • Require service providers to maintain appropriate safeguards.

2. Administrative safeguards

  • Personnel vetting. Background checks (where legally permitted) for personnel with administrative access to production systems.
  • Confidentiality. All personnel and contractors are bound by written confidentiality obligations that survive termination.
  • Security training. Role-appropriate security and privacy training at onboarding and at least annually thereafter.
  • Access reviews. Administrative access is reviewed at least quarterly; access is revoked within one business day of role change or termination.
  • Least privilege. Production access is granted only where required for a documented business purpose.

3. Technical safeguards

  • Tenant isolation. Every workspace is isolated at the database layer using Row-Level Security, enforced on every read and write. There is no application-level admin override that can reach across workspaces.
  • Encryption in transit. All traffic uses TLS 1.2 or 1.3 with modern cipher suites. Certificate management is handled by industry providers.
  • Encryption at rest. Storage and database layers use AES-256 at rest.
  • Additional workspace-scoped encryption. AI-searchable content is protected by an additional AES-256-GCM layer using a key derived from a master key in our secrets store; the key is unique to each workspace and tampered ciphertext is rejected automatically.
  • Authentication. Managed by a SOC 2 Type II identity provider (Clerk); sessions use short-lived, rotated tokens; MFA is supported and required for administrative accounts.
  • Key management. Master keys are held in a managed secrets store with access limited to production systems and a small number of named engineers.
  • Audit logging. Uploads, queries, membership changes, and administrative access are logged with actor, timestamp, and outcome. Logs are retained in a workspace-scoped audit table.
  • Vulnerability management. Automated dependency scanning, container image scanning where applicable, and periodic patching of managed services.
  • Change management. Changes are code-reviewed, tested, and deployed via automated pipelines with rollback capability.
  • Rate limiting and abuse detection. API and upload endpoints are rate-limited per workspace and per user.

4. Physical safeguards

  • Data center controls. Customer Content is hosted on managed cloud providers (see Sub-processors) whose data centers maintain recognized physical security certifications (ISO 27001, SOC 2, or equivalent).
  • Workstation controls. Personnel devices with production access require full-disk encryption, screen-lock, managed patch levels, and strong authentication.

5. AI provider controls

  • We engage AI Providers only under API terms that contractually prohibit the use of Customer Content to train foundation or generative models.
  • We use enterprise, commercial, or equivalent API tiers with zero-retention or short, documented retention windows for abuse monitoring only.
  • Only the minimum document excerpts required to answer a query are sent to AI Providers (retrieval-augmented generation). Full documents are not uploaded to AI Providers.

6. Incident response

  • Detection. We monitor application, infrastructure, and authentication events for indicators of compromise.
  • Triage. Suspected incidents are triaged by an on-call engineer following a documented runbook.
  • Notification. We will notify affected customers of any confirmed Personal Data Breach without undue delay, and in any event within 72 hours of confirmation, via the account administrator's email. The notice will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
  • Post-incident review. Every material incident triggers a written post-incident review covering root cause, impact, remediation, and prevention.

7. Business continuity and backup

  • Managed database snapshots and object storage replication are maintained by our infrastructure providers.
  • Backups are encrypted using the same standards as the primary store.
  • Target recovery point objective (RPO) of 24 hours and recovery time objective (RTO) of 24 hours for core functionality, subject to upstream provider availability.

8. Customer responsibilities

A shared-responsibility model applies. Customers are responsible for:

  • Provisioning and deprovisioning their users and assigning roles.
  • Enforcing MFA where their plan supports it.
  • Keeping their login credentials secure and rotating them after suspected compromise.
  • Ensuring Customer Content complies with the AUP and applicable law.
  • Configuring integrations, API keys, and export destinations securely.

9. Alignment with recognized frameworks

This program is designed to align with the principles of the following frameworks, even where we are not independently certified:

  • GLBA Safeguards Rule (16 C.F.R. Part 314).
  • IRS Publication 4557 (Safeguarding Taxpayer Data).
  • NIST Cybersecurity Framework (CSF) functions: Identify, Protect, Detect, Respond, Recover.
  • GDPR Article 32 and UK GDPR.
  • CCPA / CPRA reasonable security requirements.
  • ABA Model Rule 1.6(c) duty to make reasonable efforts to prevent unauthorized disclosure.

SOC 2 Type II, ISO 27001, HIPAA, and FedRAMP-scoped engagements are available on the Custom tier.

10. Responsible disclosure

Security researchers can report vulnerabilities to security@docsflow.app. We commit to acknowledgement within 2 business days, first-pass severity assessment within 5 business days, and a fix timeline or justified decision within 10 business days.