🛡️ Security at Docoply
Protecting your contracts with enterprise-grade security measures
Last updated: 1 September 2025
🔒
Encrypted
☁️
Cloud Secure
⚡
Always Available
🔐
Privacy First
1
Overview & Scope
Docoply is built by Educational Whiteboards Limited to help UK startups review contracts safely. We treat security, privacy and reliability as core product features.
This page describes the security controls for:
- The docoply.com website and WordPress plugin features
- Contract analysis workflows (upload/drag-and-drop and report generation)
- Support & operations (limited logs/telemetry)
We continuously refine security; some items are a roadmap marked “(planned)”.
2
Data Handling & Retention
- Customer uploads. Contracts you submit are processed to generate a report. By default, we do not permanently store the full document content after the analysis completes
- Transient processing. Files are held transiently in secure storage during parsing/analysis and then deleted after processing completes
- Reports/exports. You can export HTML/PDF (and, if enabled, DOCX). These exports are generated on demand
- Metadata & logs. We retain minimal operational metadata for troubleshooting and abuse prevention for 30–90 days
- Deletion. If you request deletion, we will delete retained data within statutory and operational limits
3
Encryption Standards
- In transit: All data travels over HTTPS (TLS 1.2+). We use HSTS and modern cipher suites
- At rest: We rely on cloud-provider managed encryption for disks and object storage
4
Infrastructure Security
- Hosting: We host on Google Cloud Platform (GCP). Access to cloud resources is restricted using IAM roles
- Segmentation: Public endpoints are separated from internal services by firewalls and security groups
- Patching: We apply OS, runtime and dependency updates regularly. Critical security patches are prioritized
- Monitoring: System metrics and error logs are monitored for anomalies; alerts are routed to on-call
5
Application & AI Security
- File safety. We restrict uploads by type and size and parse documents using vetted libraries
- Sanitization. We sanitize user inputs and report content to prevent injection attacks
- AI processing. We use OpenAI API with data protection controls. Inputs/outputs are not used to train their models
- Model safeguards. We apply prompt-level controls to reduce leakage and bound outputs to contract context
- Multitenancy. Requests are authenticated/authorized at the application layer
6
Access Controls
- Least privilege. Team access follows role-based access control with minimum permissions required
- MFA. Multi-factor authentication is enforced for cloud, code hosting and payment dashboards
- Secrets. API keys and credentials are stored in encrypted secret stores and rotated periodically
- Admin audit. Administrative actions are logged
7
Secure Development
- Code review. All changes undergo review and automated checks (linting, tests, build)
- Security scanning. We use SCA and basic SAST to detect known issues
- Change management. Changes are staged before production deployment; rollbacks are available
- Principles. We follow OWASP ASVS/Top-10 guidance as a baseline
8
Payments Security
- Provider. We use Stripe for payment processing. Card data never touches our servers
- Billing data. We retain minimal billing metadata necessary for receipts, tax and fraud prevention
9
Backups & Continuity
- Backups. Configuration, code and necessary databases are backed up regularly with encrypted storage
- Availability. We design for graceful degradation; transient analysis jobs are idempotent where possible
- RTO/RPO targets. We aim to restore core analysis within hours with minimal data loss
10
Incident Response
- Runbooks. We maintain incident runbooks covering detection, containment, eradication and recovery
- Notification. In the event of a personal-data breach, we will assess risk and notify affected customers and regulators in line with UK GDPR requirements
11
Vulnerability Disclosure
We welcome good-faith security reports. Please email security@docoply.com with details and steps to reproduce.
Guidelines:
- Do not access other users’ data or degrade service
- Do not run automated scans without permission
- We will acknowledge receipt, investigate, and keep you updated
- A formal bug bounty is not currently available
12
Compliance & Privacy
- Privacy. See our Privacy Policy and Data Processing Addendum for legal bases and data subject rights
- Subprocessors. Our current providers (hosting, AI API, payments) are listed at /legal/sub-processors
- Certifications. Docoply is not currently certified (e.g., ISO 27001). We align to industry best practices
📞
Contact Us
This page describes our current approach to security and may change as we improve our systems. We will keep this page updated with material changes.