DocDropDocDrop
Sign inGet started free

Security

Your clients trust you with their most sensitive information. We take that responsibility seriously.

SOC 2 certified infrastructure

DocDrop runs entirely on SOC 2 Type II certified infrastructure. Our cloud providers — including AWS, Supabase, and Anthropic — each maintain independent SOC 2 Type II certifications, ensuring rigorous controls around security, availability, and confidentiality are verified by third-party auditors annually.

Encryption

All documents are encrypted at rest using AES-256 encryption — the same standard used by banks and government agencies. Data in transit is protected with TLS 1.2+ encryption. Sensitive credentials like Google OAuth tokens are encrypted with AES-256-GCM before storage.

Data isolation

Every account is fully isolated at the database level using PostgreSQL row-level security (RLS) policies. This means even if an application-level vulnerability were exploited, the database itself enforces that users can only access their own data. Every table — clients, documents, activities — has RLS enabled with strict policies tied to authenticated user identity.

AI document processing

DocDrop uses AI to automatically name documents based on their content. Here's how we protect sensitive information during this process:

  • Zero data retention — Our AI provider (Anthropic) does not store, log, or retain any document content sent through their API. Data is processed in memory and immediately discarded.
  • No AI training — Your documents are never used to train AI models. Anthropic's API terms explicitly prohibit using customer data for model training.
  • SOC 2 Type II certified — Anthropic maintains SOC 2 Type II certification for their API infrastructure.
  • Encrypted in transit — All AI API calls are made over TLS-encrypted connections. Document content never travels unencrypted.

Authentication & access control

User authentication is handled by Supabase Auth with secure password hashing (bcrypt), session management via HTTP-only cookies, and support for password reset flows. All API routes verify authentication before processing requests. Webhook endpoints are protected with cryptographic signature verification (HMAC-SHA256 for email, Twilio signature validation for SMS).

Third-party providers

We carefully vet every third-party service. All providers maintain industry-standard security certifications.

  • Stripe — PCI DSS Level 1 compliant. We never store credit card numbers on our servers.
  • Twilio — SOC 2 Type II certified. Phone number provisioning and SMS handling with encrypted communications.
  • Mailgun — SOC 2 Type II certified. Transactional email with webhook signature verification to prevent spoofing.
  • Anthropic — SOC 2 Type II certified. AI document analysis with zero data retention and no model training on customer data.
  • Google Drive — Optional integration using OAuth 2.0. Tokens are encrypted at rest and can be revoked at any time.

Data retention & deletion

You retain full control over your data. Documents can be deleted individually at any time. If you delete your account, all associated data — including clients, documents, and stored files — is permanently removed. We do not retain copies after account deletion.

Responsible disclosure

If you discover a security vulnerability, please contact us at security@docdrop.io. We take all reports seriously and will respond promptly.