Security & data protection
Built to hold sensitive documents briefly, not forever
Document extraction touches your most sensitive files. The platform's answer is structural: strict tenant isolation, short configurable retention, automatic deletion with an audit trail, and credentials that cannot leak more than once.
Retention-driven deletion
Documents, extraction results, batches, and exports are stamped with an expiry from your organization's retention setting — 0, 7, 30, or 90 days. A scheduled daily job deletes expired storage objects and database rows.
Audit logs
Retention deletions and API-key lifecycle events are recorded: document.retention_deleted, extraction_result.retention_deleted, export.retention_deleted, batch.retention_deleted, api_key.created, api_key.revoked.
Tenant isolation
Every tenant table is protected by Postgres row-level security with member-read / owner-admin-write policies. Your organization's data is invisible to every other organization.
API credentials
Keys use the dk_live_ prefix, are shown exactly once, and are stored only as a SHA-256 hash plus a short display prefix. Revocation is immediate, and key management is portal-session only — never available to bearer tokens.
Rate limiting
Authenticated /v1 routes use independent sliding windows per key or user: 150 write requests (POST, PUT, PATCH, DELETE) and 300 read requests (GET, HEAD) per 60 seconds, with standard Retry-After and X-RateLimit-* headers. The limiter fails open so an outage can never take the API down.
Private storage
Uploaded documents and generated exports live in private storage buckets and are served through scoped, signed URLs — never public links.
Data residency
The database, authentication, and document storage (Supabase), along with asynchronous processing (Trigger.dev) and rate limiting (Upstash), run in EU regions as a deliberate GDPR/DSGVO posture, and Vercel server execution is pinned to the EU where possible. Some providers, such as payment processing, may process limited data outside the EEA under appropriate safeguards (see the Privacy Policy). An EU-only extraction mode for stricter requirements is planned.
Data minimization
The platform stores only what is needed for extraction, exports, billing, and auditability. Application logging is designed to exclude document content, extracted values, and prompts containing document text. Payment details never touch our infrastructure — Stripe processes them end to end.
AI-assisted extraction
Document bytes are sent to third-party AI models through Vercel AI Gateway for schema-based extraction, subject to your organization's retention setting. Model outputs can be incomplete or inaccurate — review results before relying on them. See the Terms of Service for customer responsibilities and the Data Processing Agreement for sub-processors.
Certifications
We do not claim certifications we do not hold — no SOC 2 or ISO 27001 badges will appear here until they are real.
Questions about security or data handling?