Security

Last updated: April 12, 2026

All systems operational

No Document Storage

DocuExtract processes documents in memory and never stores them. When you send a document to /v1/extract, it is passed to the Claude AI model for extraction, the structured result is returned, and the document is immediately discarded. No caching, no logging, no retention.

Encryption in Transit

All API traffic is encrypted with TLS 1.3. We enforce HTTPS on every endpoint — plaintext HTTP requests are rejected. Your documents and API keys never travel over an unencrypted connection.

API Key Security

API keys are hashed with bcrypt before storage. We never store plaintext keys.
Keys are shown once at creation and cannot be retrieved again — only regenerated.
Keys use the prefix dk_live_ followed by 32 cryptographically random characters.
Keys can be revoked instantly from the API Keys dashboard.

Authentication

OAuth 2.0 via GitHub and Google — no passwords stored
Magic link email authentication via Supabase Auth with PKCE flow
Session tokens managed by Supabase with automatic rotation
Row Level Security (RLS) enforced on all database tables — users can only access their own data

Infrastructure

Hosting: Vercel (SOC 2 Type II compliant)
Database: Supabase PostgreSQL (SOC 2 Type II compliant)
AI Processing: Anthropic Claude API (SOC 2 Type II compliant)
Payments: Stripe (PCI DSS Level 1 certified)

Rate Limiting

All API endpoints enforce per-minute and per-month rate limits based on your plan tier. Rate limit headers are included in every response so you can monitor usage programmatically.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly to security@docuextract.dev. We take all reports seriously and will respond within 48 hours.

Compliance Roadmap

We are working toward SOC 2 Type II certification. All infrastructure providers are already SOC 2 compliant. Contact us at security@docuextract.dev for security questionnaires or vendor assessments.