Security Policy
Last updated: May 29, 2026
Security is at the core of PrimeDocu. We use industry-standard practices to protect your documents and personal data. This document explains our security model and how to responsibly report vulnerabilities.
1. End-to-End Encryption
Every document you upload is encrypted on your device BEFORE leaving it. We use:
- AES-256-GCM — industry-standard authenticated encryption.
- Argon2id (memoryKiB=19456, iterations=2, parallelism=1) — key derivation from your recovery password.
- Per-user master key — generated locally, stored in your device's secure enclave.
We cannot read your documents. Even if our servers were compromised, attackers would only see encrypted blobs they cannot decrypt.
2. Where Your Keys Live
- iOS: Keychain (hardware-backed Secure Enclave when available).
- Android: Android Keystore (hardware-backed TEE or StrongBox when available).
- Windows: DPAPI (Data Protection API).
- Web: Browser-encrypted IndexedDB (session-bound).
3. Cloud Storage
- Documents stored on Supabase Storage (backed by AWS S3) as opaque encrypted blobs.
- Row-Level Security (RLS) policies prevent users from accessing each other's data.
- All data in transit uses TLS 1.3.
- At-rest encryption at the storage layer (in addition to our client-side encryption).
4. Authentication
- Passwords hashed with bcrypt (managed by Supabase Auth).
- Email-based authentication with confirmation required.
- JWT tokens expire automatically; refresh tokens rotate on use.
- OAuth providers supported: Google, Apple (mobile only).
5. Payment Security
- All card data handled by Stripe (PCI DSS Level 1 certified).
- Mobile payments via Google Play Billing and Apple App Store.
- We never see or store credit card numbers.
- Webhook signatures verified using HMAC-SHA256.
6. AI Processing Security
- AI requests routed through our Supabase Edge Function (no client-side API keys).
- Document content sent only when you explicitly trigger AI features.
- AI providers (Google Gemini, OpenAI) bound by contractual data-use restrictions.
- Your data is NOT used to train AI models.
7. Infrastructure
- Database: Postgres (Supabase, hosted on AWS) with daily encrypted backups.
- Storage: Supabase Storage with redundant replication.
- Web hosting: Cloudflare Pages with DDoS protection.
- Mobile distribution: Apple App Store, Google Play Store (signed builds).
8. Access Controls
- Production database access limited to senior engineering staff.
- All admin access requires multi-factor authentication (MFA).
- Service accounts use principle of least privilege.
- Audit logs retained for 90 days.
9. Vulnerability Reporting
We welcome security researchers. If you discover a vulnerability, please report it responsibly:
- Email: security@primedocu.com
- Provide a detailed description and steps to reproduce.
- Allow us 90 days to address before public disclosure.
- We will acknowledge receipt within 48 hours.
We do not currently operate a paid bug bounty program but will publicly credit researchers in our changelog (with consent).
10. Out-of-Scope
The following are NOT considered security vulnerabilities:
- Missing security headers (CSP, HSTS) unless exploitable.
- Social engineering of our employees or users.
- Physical attacks on our offices or hardware.
- Denial of service (DoS) attacks.
- Rate-limit bypasses on free-tier features.
11. Compliance
- GDPR: Compliant for EU users — right to access, correct, delete data.
- CCPA: Compliant for California users.
- SOC 2: Our infrastructure providers (Supabase, Cloudflare, Stripe) are SOC 2 certified.
12. Incident Response
In the event of a data breach affecting your account, we will notify you within 72 hours via email and in-app notification, with details about what data was affected and recommended actions.
13. Contact
Security inquiries: security@primedocu.com
General support: support@primedocu.com