How DocEnsure protects the documents you trust us with — encryption, retention controls, India data residency, isolated processing, and the certifications we're working toward.
Every document and every database row is encrypted with AES-256. Encryption keys are managed by the cloud provider's KMS and rotated regularly.
All client and API traffic is protected by TLS 1.3 with strong ciphers. We enforce HSTS and reject deprecated protocols.
Each document is processed in a short-lived, isolated container. The container is destroyed once the verification report is generated. No persistent processing host has access to your documents.
Documents, reports, and account data are stored and processed in cloud regions inside India (Mumbai & Hyderabad). Customer documents are never transferred outside India without your explicit consent.
Production access is restricted to a small set of engineers via SSO with mandatory MFA. All access is logged and reviewed. Customer document content is not accessible to support staff except under explicit, time-bound consent.
Default retention is 30 days; paid plans can shorten this to as low as 24 hours or extend it up to 365 days. Enterprise customers can require post-verification deletion under a Data Processing Agreement.
We do not train our AI models on your uploaded documents. Model improvements use either synthetic data, public datasets, or data submitted under a separate written research agreement with explicit consent.
Every verification, login, configuration change, and access to a forensic report is logged with the actor, timestamp, and source IP. Logs are retained for 12 months and available to enterprise customers on request.
DocEnsure operates in alignment with Indian data-protection law and is actively pursuing recognised security certifications.
Enterprise customers can sign a Data Processing Agreement that covers roles (Fiduciary vs. Processor), subprocessor lists, security commitments, breach notification SLAs, and audit rights. To request a copy or to negotiate red-lines, email security@docensure.com.
We use a small set of vetted subprocessors to operate the platform — cloud hosting in India (AWS Mumbai/Hyderabad), transactional email, payment processing (Razorpay), and customer support tooling. Each subprocessor is bound by a written data-processing agreement. A live subprocessor list is available on request.
We welcome reports from independent security researchers. If you believe you've found a security issue in DocEnsure, please send a description and reproduction steps to security@docensure.com. Please give us a reasonable window — at least 30 days — to fix the issue before public disclosure. We will acknowledge your report within 3 business days and keep you updated on remediation.
We do not currently run a paid bug bounty programme, but we publicly thank researchers who follow coordinated disclosure.
If we discover a security incident that materially affects customer data, we will:
Production data is backed up daily; backups are encrypted with AES-256 and retained for up to 30 days. We test restore procedures regularly. The platform is deployed across multiple availability zones to tolerate single-zone failures.
For any security question, DPA request, or incident report:
Email: security@docensure.com
Response SLA: Acknowledgement within 3 business days, substantive response within 7 business days.