Security isn't a feature.
It's our foundation.
Every layer of Docme — from how we store your documents to how we handle authentication — is designed with security as the primary constraint.
How we protect your data
End-to-end encryption
All data in transit is protected with TLS 1.3. Documents at rest are encrypted with AES-256. Sensitive database fields are additionally encrypted at the application layer.
Access controls
Role-based access control (RBAC) ensures users can only access what they need. Every API request is authenticated and authorized. Admin access requires MFA.
Infrastructure security
We run on AWS infrastructure with VPC isolation, private subnets, and WAF protection. All services are containerized and run with the principle of least privilege.
Continuous monitoring
We monitor for anomalies 24/7 with automated alerting. Security logs are retained for 12 months. Penetration tests are conducted by an independent firm annually.
Security is built into our process
- All engineers complete security and privacy training at onboarding.
- Code changes require peer review and automated security scanning before merge.
- Dependencies are automatically scanned for known CVEs using Dependabot.
- We run regular internal red-team exercises to identify weaknesses.
- Production deployments require approval from a senior engineer.
- All third-party integrations are audited before onboarding.
- Background checks are performed on all employees with data access.
- Security incidents are reviewed in post-mortems and improvements shared internally.
Certifications & standards
Vulnerability Disclosure
If you believe you've found a security vulnerability in Docme, please report it responsibly. We take all reports seriously and will respond within 48 hours.
How to report
Email security@docme.cc with a detailed description of the vulnerability, steps to reproduce, and your contact information.
What to include
Type of vulnerability, affected URL or component, potential impact, and any proof-of-concept code (if applicable).
Our commitment
We will acknowledge your report within 48 hours, investigate promptly, and credit you in our security changelog (if you wish) once the issue is resolved.