Trust
Security at DocVault
Last updated: June 23, 2026
DocVault collects sensitive Know-Your-Business documents on behalf of compliance and sales teams. Security is the product, not a feature bolted on. This page describes the controls that are live in production today. We are happy to share our detailed security documentation under NDA — contact security@getdocvault.com.
Encryption
Every uploaded document is protected with per-tenant envelope encryption. Each workspace has its own AWS KMS customer master key. Each document is encrypted with a unique AES-256-GCM data key, which is then wrapped by that workspace's master key and bound to the tenant via a KMS encryption context — so one customer's key can never decrypt another customer's files.
- Documents encrypted at rest with AES-256-GCM (authenticated encryption).
- Per-workspace KMS master keys with automatic key rotation enabled.
- Fail-closed: in production, a failed key operation aborts the write. We never store plaintext on a key error.
- All data in transit is encrypted over TLS 1.2+.
- Files live in private object storage with no public URLs; access is served through short-lived, authenticated reads.
Authentication & access control
- Passwords are hashed with bcrypt. We never store or log plaintext credentials.
- Optional multi-factor authentication (TOTP) with encrypted seeds and single-use, hashed recovery codes.
- Role-based access control scoped to a workspace; document access follows least privilege.
- Per-account and per-email rate limiting on login and sensitive actions to blunt credential-stuffing and password-spray attacks.
- Clients access only their own room through scoped invite links, never the dashboard.
Audit logging
DocVault keeps an append-only audit trailof security-relevant events — sign-ins, MFA changes, and account- and workspace-level administrative actions — separate from in-room product activity. Document access and review actions are recorded so a compliance team can reconstruct who did what, and when.
Infrastructure & data location
- Hosted on Vercel (United States); compute runs in stateless serverless functions.
- Document metadata stored in a managed PostgreSQL database (Neon, United States).
- Document files stored in Vercel Blob private storage (primary); mirrored to Amazon S3 on each upload for disaster-recovery.
- Encryption keys managed in AWS KMS.
- A full list of sub-processors is published and kept current.
See our sub-processor list for every third party that may process data on our behalf.
Monitoring, availability & backups
- Application errors and performance traces captured in Sentry.
- External uptime monitoring (Better Stack) against a dedicated health endpoint, with alerting to on-call.
- Managed database backups with point-in-time recovery (Neon PITR); encrypted document blobs mirrored to Amazon S3 on every upload.
- Disaster-recovery procedures tested periodically; target RPO 1 hour, RTO 8 hours.
- Incident response procedures with customer notification within 72 hours of a confirmed breach.
Application security
- Outbound webhooks are signed with HMAC and protected against SSRF (internal/private addresses are blocked).
- Static analysis (SAST) and dependency review as part of our development workflow.
- Regular internal security reviews and a maintained vulnerability log with tracked remediation.
Compliance status
Our controls are built to SOC 2 Type II criteria, and we are actively working toward certification. We are not yet SOC 2 certified and do not claim to be; in the meantime we are glad to share our security documentation and complete security questionnaires directly. For GDPR and UK GDPR, GetDocVault, Inc. acts as a data processor for the documents customers collect in compliance rooms; international transfers rely on Standard Contractual Clauses where required. Our Privacy Policy describes how we handle personal data, retention, and your rights.
Reporting a vulnerability
If you believe you have found a security issue, please email security@getdocvault.com. We investigate every report and will work with you on coordinated disclosure. Please do not publicly disclose an issue before we have had a chance to remediate it.