Security at Docz.me

Docz.me stores documents, contracts, invoices, and client records. Because Docz.me is not a payment processor, we are never in possession of your credit card numbers or your clients' credit card numbers. That already eliminates an entire class of security risk.

For everything else, we apply defense-in-depth: encryption, strong authentication, rate limiting, access controls, and regular backups.

In transit:All traffic between your browser and Docz.me is encrypted with TLS (HTTPS). We don't accept unencrypted connections.

At rest:Your database, your file storage, and your backups are encrypted on disk using the underlying platform's native encryption (AES-256).

Passwords are hashed with argon2id, the current state of the art for password storage. We never store plain-text passwords, and we never email them to you. The parameters we use (memory cost, time cost) are tuned to make brute-force attacks impractical even if a database copy were ever exposed.

We rate-limit sign-in attempts per IP address to make credential stuffing and password-spraying attacks much harder.

When you sign in, we issue a short-lived session token. Tokens are bound to your browser and expire after a period of inactivity. Signing out invalidates your session immediately. You can sign out from any device at any time.

Only a small number of our engineers have production access, and that access is limited to what's necessary to operate the service. Every administrative action is logged.

We don't read your content. We only look at your data when you explicitly ask us to (for example, to help you troubleshoot) or when legally required.

Docz.me runs on modern cloud infrastructure with regular security patching and network-level firewalls. Production systems are isolated from development and staging, and secrets (API keys, encryption keys) are stored in a managed secret vault — never in source code.

We take automatic encrypted backups of your data on a regular schedule. Backups are stored in a geographically separate location from the primary database. We test our restore process periodically so that, if the worst happens, we can get your data back quickly.

When you upload a document (a PDF contract, a receipt, etc.) Docz.me stores it in a private, access-controlled file store. Only you and anyone you explicitly share it with can retrieve it. We scan uploads for obvious malware signatures.

If we detect a security incident that affects your account, we will notify you as quickly as we reasonably can, explain what happened, what data was involved, and what steps we're taking to fix it. We will not hide breaches. We'd rather over-communicate than leave you guessing.

Security is a partnership. Please help us keep your account safe:

• Use a long, unique password — ideally from a password manager.
• Don't share your login with anyone else.
• Sign out from devices you don't own or control.
• Keep your email account secure — it's the recovery channel for your Docz.me account.

Found a security issue in Docz.me? We appreciate your help. Please email security@docz.me with details, and please give us a reasonable window to fix the issue before disclosing it publicly. We do not currently run a paid bug bounty, but we will publicly acknowledge researchers who report valid issues in good faith.