Your documents are some of the most sensitive data you handle. We treat them that way — with encrypted storage, audited controls, no AI training on your content, and a public disclosure program.
Every document, signature, embedding, and audit log is encrypted at rest with AES-256. Encryption keys rotated regularly and stored in HSM-backed key management (Google Cloud KMS).
All traffic enforces TLS 1.3 with HSTS preload and strict cert pinning on mobile. No fallback to weaker protocols.
Enterprise customers can bring their own keys (BYOK) via Google Cloud KMS or AWS KMS. We hold ciphertext only.
Vault content is encrypted client-side before upload. Even DocFila employees with full database access cannot read it.
Active SOC 2 Type II audit with a Big Four firm. Latest attestation report available to Business and Enterprise customers under NDA.
Standard DPA included for all customers. EU data residency (Frankfurt + Belgium) available on Business and Enterprise plans. EU representative under Art. 27.
Available on request for Business; included for Enterprise. PHI workloads run on isolated infrastructure with full access logging.
ISO 27001 certification path scoped for the next 12 months. Controls already mapped to ISO 27001 Annex A.
We never train AI models on your documents. Period. AI features run on your data inference-only, in transient compute, with no logging of content.
Enterprise customers can run AI in single-tenant inference environments with no shared model context across customers.
DocFila employees do not read your documents to improve products. Automated quality monitoring uses metadata only.
No model providers, infrastructure, or sub-processors in jurisdictions with mandatory data access laws (PRC, Russia, Iran, North Korea).
Independent penetration testing by leading security firms. Summary reports shared with Enterprise customers under NDA.
24/7 SIEM, anomaly detection, automated rotation of credentials, mandatory MFA for all employees, hardware security keys for production access.
Multi-region encrypted backups. RPO < 5 min, RTO < 1 hr for production data. Quarterly DR exercises.
Production access requires SSO + hardware key + just-in-time approval. All access logged immutably.
Found a security issue? We want to know. Email security@docfila.com with details. PGP key and full policy at /.well-known/security.txt. We aim to respond within 24 hours and patch critical issues within 7 days.
We run a private bug bounty program with rewards from $50 to $5,000 depending on severity. Email security@docfila.com to apply.