We'll tell you exactly what we've built, what we haven't, and what's next. No badges we haven't earned.
TLS 1.2+ everywhere. HSTS with preload. No insecure fallback.
AES-256 encryption managed by Vercel, Supabase, and AWS.
API keys stored as SHA-256 hashes — shown once, never retrieved. MFA for staff with production access.
Row-Level Security policies enforce tenant boundaries at the database layer.
PDF retention is documented in our Privacy Policy. Customer payloads are processed transiently.
Never stored on our systems. Stripe (PCI DSS Level 1) handles all card data via tokenization.
We update this table as our certifications evolve. The honest answer to any “do you have X?” question lives right here — always.
| Standard | Status |
|---|---|
| SOC 2 Type I | Planned / readiness prep |
| SOC 2 Type II | On roadmap |
| HIPAA | On roadmap (not currently supported) |
| ISO 27001 | Evaluating |
| CCPA / CPRA | Drafted; counsel/operational validation pending |
| GDPR / UK GDPR | Drafted; DPA/SCC validation pending |
| PCI DSS | N/A — Stripe handles all card data |
We do not sell or share personal data.
We do not use Customer Content to train AI models.
We do not grant unrestricted employee access to production.
We do not display compliance badges we haven't earned.
Found a vulnerability? Email security@docujson.com. We aim to acknowledge within 2 business days. Safe harbor is in effect for good-faith research under our disclosure rules.