DN
DocuNile
Trust & Security

Compliance & Security

DocuNile is engineered from the ground up for regulated industries. Our security architecture, compliance posture, and data handling practices are designed to meet the strictest enterprise and government requirements.

SOC 2 Designed Controls
eIDAS Compliant E-Sign
GDPR Ready Architecture
AES-256 Encryption
On-Prem / Air-Gap Option
Tenant Isolated AI Pipeline

SOC 2 Type II Posture

DocuNile's cloud platform is designed around the five SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our controls include:

  • Access controls: Multi-factor authentication, role-based access control (RBAC), principle of least privilege, and session management.
  • Change management: Code review requirements, automated testing pipelines, and staged deployment processes.
  • Incident response: Defined incident classification, escalation procedures, and customer notification protocols.
  • Availability: 99.99% uptime SLA backed by multi-region failover and automated health monitoring.
  • Vendor management: All third-party sub-processors are evaluated for security posture and subject to data processing agreements.

Customers requiring a copy of our SOC 2 report or security questionnaire responses may request them through their account manager or via security@docunile.com.

Electronic Signatures & eIDAS

DocuNile's e-signature service is designed to comply with EU Regulation 910/2014 (eIDAS) and applicable electronic signature legislation globally. We support three levels of electronic signature:

Simple Electronic Signature (SES)

Email-verified identity, audit trail, tamper-evident seal. Suitable for standard commercial agreements.

Advanced Electronic Signature (AdES)

Strong signer authentication, device fingerprinting, cryptographic linkage to the signed document.

Qualified Electronic Signature (QES) — via USB PKI Token

The highest legal assurance level. Uses AATL-compliant hardware tokens (USB PKI). Legally equivalent to handwritten signatures under eIDAS in all EU member states.

Each completed signature produces a certificate of completion containing: signer identity, IP address, device fingerprint, timestamp, document hash, and chain-of-custody metadata. This certificate is cryptographically embedded in the final signed PDF.

GDPR & Data Privacy

DocuNile is designed to support your organization's GDPR compliance obligations. Key capabilities include:

  • Data residency: Choose EU-based storage (AWS Frankfurt, eu-central-1) for all Customer Data to meet EEA data residency requirements.
  • Data processor role: For cloud deployments, DocuNile acts as your data processor. We provide a Data Processing Agreement (DPA) to all customers.
  • Right to erasure: Tenant administrators can permanently delete documents and user records. AI vector embeddings are automatically purged when source documents are deleted.
  • Data portability: Export your complete document archive, metadata, and audit logs in standard formats at any time.
  • Consent management: E-signature workflows include explicit consent checkpoints with timestamped records.
  • Breach notification: We maintain documented procedures for notifying customers of confirmed data breaches within 72 hours of discovery, in line with GDPR Article 33.

To request a copy of our Data Processing Agreement (DPA), contact legal@docunile.com.

Data Encryption

Encryption at rest

AES-256-GCM for all documents, database records, and AI embeddings

Encryption in transit

TLS 1.3 enforced on all connections — older protocol versions rejected

Key management

Per-tenant encryption keys, stored in AWS KMS. Zero shared keys between tenants.

Password storage

bcrypt hashing with salt. Plain-text passwords are never stored or logged.

Audit log integrity

Append-only PostgreSQL architecture. No UPDATE or DELETE operations on audit records.

Air-gap keys

On-prem deployments use locally generated HSM keys. No key material ever leaves the customer environment.

On-Premises & Air-Gap Compliance

Enterprise and government customers with strict data sovereignty requirements can deploy DocuNile entirely within their own infrastructure:

  • Zero cloud egress: In air-gap mode, no network connections leave your perimeter. The platform operates fully offline.
  • Offline licensing: Cryptographically signed license files are verified locally without contacting DocuNile servers.
  • Local AI models: AI features can be configured to use locally hosted model inference endpoints (no data sent to external AI providers).
  • Deployment stack: Docker 24+ / OCI containers or Kubernetes Helm charts (k8s 1.28+). No proprietary cloud dependencies.
  • Identity integration: Native LDAP, Active Directory, SAML 2.0, and OIDC support for on-premises identity providers.
  • Physical scanner integration: TWAIN/WIA-compatible Scanner Bridge for document capture without internet access.

Infrastructure Security

  • Cloud provider: Amazon Web Services (AWS). Data centers are ISO 27001, SOC 2 Type II, and PCI DSS certified.
  • Network security: VPC isolation, security groups, WAF (Web Application Firewall), and DDoS protection.
  • Vulnerability management: Regular automated dependency scanning, SAST (static analysis), and periodic penetration testing by third-party security firms.
  • Patching: Critical security patches applied within 24 hours. Platform updates delivered with zero downtime for cloud deployments.
  • Monitoring: 24/7 automated anomaly detection, uptime monitoring, and alerting.
  • Backup: Daily encrypted backups with 30-day retention. Backup integrity is verified via automated restore testing.

AI & Data Training Policy

DocuNile will never use your documents or extracted data to train AI models.

This is a foundational architectural and contractual commitment:

  • All AI model inference occurs within your tenant boundary — no cross-tenant data mixing.
  • Third-party AI providers (OpenRouter/Anthropic) are contractually prohibited from using our customers' data for training.
  • Vector embeddings are stored in your tenant's isolated pgvector instance and are never exported.
  • For on-premises deployments, AI inference is fully local — no data touches any external AI provider.

Certifications & Standards

SOC 2 Type II

Security, Availability, Confidentiality (designed controls)

In progress

EU eIDAS 910/2014

Qualified & Advanced Electronic Signatures

Compliant

GDPR (EU) 2016/679

Data processing, residency, DPA availability

Compliant

UK GDPR & Data Protection Act 2018

UK data protection

Compliant

ESIGN / UETA (US)

US electronic signature recognition

Compliant

ISO/IEC 27001

Information security management

Roadmap 2026

HIPAA

Healthcare data safeguards (BAA available on Enterprise)

BAA available

PCI DSS

Payment data — handled by Stripe (PCI L1 compliant)

Via Stripe

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue in the DocuNile platform, please report it responsibly:

  • Email: security@docunile.com
  • Include a description of the vulnerability, steps to reproduce, and potential impact.
  • Please do not access or modify other customers' data during your research.
  • We commit to acknowledging reports within 2 business days and providing a remediation timeline within 10 business days.