Global launch - 2026.06.07

Security Policy

Security posture for the Documents Dock global service.

Effective date: 2026-06-07

01

Workspace isolation

  • Shipment data is scoped by organization and protected through application authorization and Supabase row-level security policies.
  • Workspace members should be assigned only the roles they need for their shipment document work.
  • Public support forms and unauthenticated endpoints are rate-limited and validated before persistence.
02

Document protection

  • Originals, generated documents, and bundles are stored in private object storage rather than public buckets.
  • Operators do not view customer originals, OCR text, extracted values, signatures, stamps, or object storage keys by default.
  • OCR quality monitoring should use value-free quality events instead of customer document text.
03

Application controls

  • The web app uses security headers, CSP, upload validation, rate limiting, and server-side organization checks on sensitive routes.
  • Billing provider webhooks must be verified before they can unlock paid workspace access.
  • Production secrets must be stored only in deployment provider secrets or environment variables.
04

Reporting

  • Security issues should be reported through the published security contact or support channel.
  • Do not include full customer documents, passwords, private keys, or regulated data in a vulnerability report unless the team explicitly requests a secure transfer path.

Legal notice: this page is maintained for global users and may be updated as the service, providers, and local requirements change.

Security Policy | Documents Dock