Trust, documented.

Everything a security reviewer, legal team, or enterprise buyer needs about DocuJSON — in one place. If something is missing, email us.

Current Posture

Where we are, right now.

Security

A layered security program covering infrastructure, application code, authentication, data handling, and vendor management.

  • TLS 1.2+ in transit; AES-256 at rest (provider-managed)
  • HTML sanitization (DOMPurify) and strict CSP on every rendered template
  • SHA-256 hashed API keys — raw keys shown once and never stored
  • Row-Level Security (RLS) enforces tenant isolation
  • Webhook SSRF protection and Stripe signature verification
Security page

Privacy

Our Privacy Policy covers what we collect, why, who we share it with, and how long we keep it.

  • We don't sell personal data
  • We don't train AI models on Customer Content
  • Customer payload data is processed transiently and not persisted
  • Data-subject rights workflow drafted; publish after intake is operational
Privacy policy

Data Processing Addendum

Available for all paid customers. Standard DPA below. Request a counter-signed copy via email.

  • GDPR Article 28 / CCPA service provider terms
  • Standard Contractual Clauses for international transfers
  • Counter-signed copies available for Business + Enterprise
Read the DPA

Sub-processors

Public list of the third-party services that process your data. 30-day change notification commitment.

  • Full public registry at /sub-processors
  • 30 days advance notice on any additions
  • Objection window for Business + Enterprise customers
See sub-processors
Compliance Status

The honest answer — always on this page.

StandardStatus
SOC 2 Type IPlanned / readiness prep
SOC 2 Type IIOn roadmap
HIPAAOn roadmap — do not submit PHI
ISO 27001Evaluating
CCPA / CPRADrafted — validation pending
GDPR / UK GDPR / Swiss FADPDrafted — validation pending
PCI DSSN/A — Stripe handles card data
What We Don't Do

To save you a question.

We don't sell or share personal data with advertisers or data brokers.

We don't use Customer Content to train generative AI models.

We don't grant employees unrestricted access to production customer data.

We don't claim certifications we have not achieved.

We don't hide pricing behind a “contact sales” form.

We don't auto-enroll you in paid plans without a clear checkout step.

Documentation

All the paperwork, one index.

DocumentStatus
Terms of ServiceIn progress
Privacy PolicyIn progress
Data Processing AddendumAvailable on request
Acceptable Use PolicyIn progress
Cookie PolicyIn progress
Sub-processor ListIn progress
Service Level AgreementPer plan
SecurityLive

Security Questionnaires

We're happy to complete CAIQ, SIG Lite, or custom vendor-risk questionnaires for Business and Enterprise customers. Turnaround: 5-10 business days for the first one, faster for updates.

Include in your request
  • • Your company name and domain
  • • Which questionnaire format
  • • Target deadline
  • • Signed NDA (or we'll use our standard one)

Audits and Evidence

Available today (under NDA)
  • • Security architecture overview
  • • Sub-processor risk assessments
  • • Incident response plan
  • • Business continuity / DR plan
  • • CAIQ / SIG Lite responses
When available
  • • SOC 2 Type I report
  • • Penetration test executive summary

On-site audits available for Enterprise with 60 days' notice, per DPA Section 11.

Incident Transparency

  • Real-time status: status.docujson.com
  • Postmortems published within 7 business days of significant incidents
  • Breach notification: within 72 hours of confirmed impact, per our DPA

Responsible Disclosure

Security researchers — we welcome reports.

Scope, rules, and safe harbor

Bug bounty program planned post-SOC 2.

Contacts

Route your message the fastest way.

Security issues
security@docujson.com
Privacy and data subject requests
privacy@docujson.com
Legal and DPA
legal@docujson.com
Enterprise procurement
enterprise@docujson.com
General support
support@docujson.com
Abuse and AUP violations
abuse@docujson.com

Still have questions?

Security reviewers, procurement teams, compliance officers — happy to get on a call or trade a questionnaire. No salesy runaround.