Security

DocSpring follows industry best-practices to keep your data safe:

  • You can only access the DocSpring service via TLS (https). We enforce this with HSTS headers.
  • When you submit data to generate a PDF, this data is encrypted at rest using AES-256.
  • All stored files are encrypted at rest, using the AWS Key Management Service. This includes template PDFs, generated PDFs, and any other files that are stored in Amazon S3.
  • Passwords are hashed using bcrypt with 11 key expansion rounds. We do not store plaintext passwords in our database.
  • We maintain comprehensive audit logs for all data access and system activity.
  • All logs are retained for 7 years to support compliance and forensic requirements.
  • We subscribe to security mailing lists and patch any vulnerabilities as soon as possible.

Compliance

SOC 2 Type II Certified

SOC 2 Type II

GDPR Compliant

GDPR Compliant

DocSpring has completed a SOC 2 Type II audit and is fully GDPR compliant. We are currently working towards HIPAA compliance and ISO 27001 certification.

Our SOC 2 Type II report and security whitepaper are available upon request. Please contact [email protected] for more information.

DocSpring is not yet HIPAA compliant or PCI DSS certified.

This means that you must not submit any credit card information to DocSpring. You must not submit any protected health information (PHI) without signing a HIPAA BAA with us. Please contact [email protected] for more information.

Vulnerability Disclosures

DocSpring welcomes vulnerability disclosures. Please send an email to [email protected] to report any security vulnerabilities. You can find our PGP public key at:
https://docspring.com/pgp-key.txt

Questions?

Any questions about security can be sent to [email protected]

Last Modified: