Security that's specific,
not aspirational.

We'll tell you exactly what we've built, what we haven't, and what's next. No badges we haven't earned.

At a Glance

The controls that matter, in one scroll.

In transit

TLS 1.2+ everywhere. HSTS with preload. No insecure fallback.

At rest

AES-256 encryption managed by Vercel, Supabase, and AWS.

Authentication

API keys stored as SHA-256 hashes — shown once, never retrieved. MFA for staff with production access.

Data isolation

Row-Level Security policies enforce tenant boundaries at the database layer.

Retention

PDF retention is documented in our Privacy Policy. Customer payloads are processed transiently.

Payment security

Never stored on our systems. Stripe (PCI DSS Level 1) handles all card data via tokenization.

Compliance Status

Where we stand today.

We update this table as our certifications evolve. The honest answer to any “do you have X?” question lives right here — always.

Standard	Status
SOC 2 Type I	Planned / readiness prep
SOC 2 Type II	On roadmap
HIPAA	On roadmap (not currently supported)
ISO 27001	Evaluating
CCPA / CPRA	Drafted; counsel/operational validation pending
GDPR / UK GDPR	Drafted; DPA/SCC validation pending
PCI DSS	N/A — Stripe handles all card data

HIPAA Roadmap

We are not currently HIPAA-attested.

DocuJSON does not offer a Business Associate Agreement (BAA) today and is not a HIPAA-compliant service. Do not submit Protected Health Information (PHI) — including names, addresses, dates of service, diagnoses, or any other PHI as defined under HIPAA — through any DocuJSON workspace or API.

HIPAA-covered processing is a tracked roadmap item documented in our internal compliance roadmap (docujson-compliance-roadmap.md). When launched, it will be available exclusively to Enterprise customers under a separately negotiated and signed BAA, with workspace-level controls that block AI template flows and other sub-processors that are not BAA-covered.

If your use case requires HIPAA today, please contact sales@docujson.com so we can scope timelines and confirm whether DocuJSON is the right fit.

What We Don't Do

The fast “no” list.

We do not sell or share personal data.

We do not use Customer Content to train AI models.

We do not grant unrestricted employee access to production.

We do not display compliance badges we haven't earned.

Responsible Disclosure

Found a vulnerability? Email security@docujson.com. We aim to acknowledge within 2 business days. Safe harbor is in effect for good-faith research under our disclosure rules.

Go deeper.

Trust center

Status page

Data Processing Addendum

Sub-processors

Working through a security review?

Enterprise customers can request a CAIQ or SIG Lite response, an NDA'd conversation with our team, or documentation for their vendor-risk file.

Security that's specific,
not aspirational.

We'll tell you exactly what we've built, what we haven't, and what's next. No badges we haven't earned.

At a Glance

The controls that matter, in one scroll.

In transit

TLS 1.2+ everywhere. HSTS with preload. No insecure fallback.

At rest

AES-256 encryption managed by Vercel, Supabase, and AWS.

Authentication

API keys stored as SHA-256 hashes — shown once, never retrieved. MFA for staff with production access.

Data isolation

Row-Level Security policies enforce tenant boundaries at the database layer.

Retention

PDF retention is documented in our Privacy Policy. Customer payloads are processed transiently.

Payment security

Never stored on our systems. Stripe (PCI DSS Level 1) handles all card data via tokenization.

Compliance Status

Where we stand today.

We update this table as our certifications evolve. The honest answer to any “do you have X?” question lives right here — always.

Standard	Status
SOC 2 Type I	Planned / readiness prep
SOC 2 Type II	On roadmap
HIPAA	On roadmap (not currently supported)
ISO 27001	Evaluating
CCPA / CPRA	Drafted; counsel/operational validation pending
GDPR / UK GDPR	Drafted; DPA/SCC validation pending
PCI DSS	N/A — Stripe handles all card data

HIPAA Roadmap

We are not currently HIPAA-attested.

If your use case requires HIPAA today, please contact sales@docujson.com so we can scope timelines and confirm whether DocuJSON is the right fit.

What We Don't Do

The fast “no” list.

We do not sell or share personal data.

We do not use Customer Content to train AI models.

We do not grant unrestricted employee access to production.

We do not display compliance badges we haven't earned.

Responsible Disclosure

Found a vulnerability? Email security@docujson.com. We aim to acknowledge within 2 business days. Safe harbor is in effect for good-faith research under our disclosure rules.

Go deeper.

Trust center

Status page

Data Processing Addendum

Sub-processors

Working through a security review?

Enterprise customers can request a CAIQ or SIG Lite response, an NDA'd conversation with our team, or documentation for their vendor-risk file.

Security that's specific,not aspirational.

The controls that matter, in one scroll.

In transit

At rest

Authentication

Data isolation

Retention

Payment security

Where we stand today.

We are not currently HIPAA-attested.

The fast “no” list.

Responsible Disclosure

Go deeper.

Working through a security review?

Security that's specific,not aspirational.

The controls that matter, in one scroll.

In transit

At rest

Authentication

Data isolation

Retention

Payment security

Where we stand today.

We are not currently HIPAA-attested.

The fast “no” list.

Responsible Disclosure

Go deeper.

Working through a security review?

Security that's specific,
not aspirational.

Security that's specific,
not aspirational.