Trust

Security at DocVault

Last updated: June 23, 2026

DocVault collects sensitive Know-Your-Business documents on behalf of compliance and sales teams. Security is the product, not a feature bolted on. This page describes the controls that are live in production today. We are happy to share our detailed security documentation under NDA — contact security@getdocvault.com.

Encryption

Every uploaded document is protected with per-tenant envelope encryption. Each workspace has its own AWS KMS customer master key. Each document is encrypted with a unique AES-256-GCM data key, which is then wrapped by that workspace's master key and bound to the tenant via a KMS encryption context — so one customer's key can never decrypt another customer's files.

  • Documents encrypted at rest with AES-256-GCM (authenticated encryption).
  • Per-workspace KMS master keys with automatic key rotation enabled.
  • Fail-closed: in production, a failed key operation aborts the write. We never store plaintext on a key error.
  • All data in transit is encrypted over TLS 1.2+.
  • Files live in private object storage with no public URLs; access is served through short-lived, authenticated reads.

Authentication & access control

  • Passwords are hashed with bcrypt. We never store or log plaintext credentials.
  • Optional multi-factor authentication (TOTP) with encrypted seeds and single-use, hashed recovery codes.
  • Role-based access control scoped to a workspace; document access follows least privilege.
  • Per-account and per-email rate limiting on login and sensitive actions to blunt credential-stuffing and password-spray attacks.
  • Clients access only their own room through scoped invite links, never the dashboard.

Audit logging

DocVault keeps an append-only audit trailof security-relevant events — sign-ins, MFA changes, and account- and workspace-level administrative actions — separate from in-room product activity. Document access and review actions are recorded so a compliance team can reconstruct who did what, and when.

Infrastructure & data location

  • Hosted on Vercel (United States); compute runs in stateless serverless functions.
  • Document metadata stored in a managed PostgreSQL database (Neon, United States).
  • Document files stored in Vercel Blob private storage (primary); mirrored to Amazon S3 on each upload for disaster-recovery.
  • Encryption keys managed in AWS KMS.
  • A full list of sub-processors is published and kept current.

See our sub-processor list for every third party that may process data on our behalf.

Monitoring, availability & backups

  • Application errors and performance traces captured in Sentry.
  • External uptime monitoring (Better Stack) against a dedicated health endpoint, with alerting to on-call.
  • Managed database backups with point-in-time recovery (Neon PITR); encrypted document blobs mirrored to Amazon S3 on every upload.
  • Disaster-recovery procedures tested periodically; target RPO 1 hour, RTO 8 hours.
  • Incident response procedures with customer notification within 72 hours of a confirmed breach.

Application security

  • Outbound webhooks are signed with HMAC and protected against SSRF (internal/private addresses are blocked).
  • Static analysis (SAST) and dependency review as part of our development workflow.
  • Regular internal security reviews and a maintained vulnerability log with tracked remediation.

Compliance status

Our controls are built to SOC 2 Type II criteria, and we are actively working toward certification. We are not yet SOC 2 certified and do not claim to be; in the meantime we are glad to share our security documentation and complete security questionnaires directly. For GDPR and UK GDPR, GetDocVault, Inc. acts as a data processor for the documents customers collect in compliance rooms; international transfers rely on Standard Contractual Clauses where required. Our Privacy Policy describes how we handle personal data, retention, and your rights.

Reporting a vulnerability

If you believe you have found a security issue, please email security@getdocvault.com. We investigate every report and will work with you on coordinated disclosure. Please do not publicly disclose an issue before we have had a chance to remediate it.