DocuNile is engineered from the ground up for regulated industries. Our security architecture, compliance posture, and data handling practices are designed to meet the strictest enterprise and government requirements.
DocuNile's cloud platform is designed around the five SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our controls include:
Customers requiring a copy of our SOC 2 report or security questionnaire responses may request them through their account manager or via security@docunile.com.
DocuNile's e-signature service is designed to comply with EU Regulation 910/2014 (eIDAS) and applicable electronic signature legislation globally. We support three levels of electronic signature:
Simple Electronic Signature (SES)
Email-verified identity, audit trail, tamper-evident seal. Suitable for standard commercial agreements.
Advanced Electronic Signature (AdES)
Strong signer authentication, device fingerprinting, cryptographic linkage to the signed document.
Qualified Electronic Signature (QES) — via USB PKI Token
The highest legal assurance level. Uses AATL-compliant hardware tokens (USB PKI). Legally equivalent to handwritten signatures under eIDAS in all EU member states.
Each completed signature produces a certificate of completion containing: signer identity, IP address, device fingerprint, timestamp, document hash, and chain-of-custody metadata. This certificate is cryptographically embedded in the final signed PDF.
DocuNile is designed to support your organization's GDPR compliance obligations. Key capabilities include:
To request a copy of our Data Processing Agreement (DPA), contact legal@docunile.com.
Encryption at rest
AES-256-GCM for all documents, database records, and AI embeddings
Encryption in transit
TLS 1.3 enforced on all connections — older protocol versions rejected
Key management
Per-tenant encryption keys, stored in AWS KMS. Zero shared keys between tenants.
Password storage
bcrypt hashing with salt. Plain-text passwords are never stored or logged.
Audit log integrity
Append-only PostgreSQL architecture. No UPDATE or DELETE operations on audit records.
Air-gap keys
On-prem deployments use locally generated HSM keys. No key material ever leaves the customer environment.
Enterprise and government customers with strict data sovereignty requirements can deploy DocuNile entirely within their own infrastructure:
DocuNile will never use your documents or extracted data to train AI models.
This is a foundational architectural and contractual commitment:
SOC 2 Type II
Security, Availability, Confidentiality (designed controls)
EU eIDAS 910/2014
Qualified & Advanced Electronic Signatures
GDPR (EU) 2016/679
Data processing, residency, DPA availability
UK GDPR & Data Protection Act 2018
UK data protection
ESIGN / UETA (US)
US electronic signature recognition
ISO/IEC 27001
Information security management
HIPAA
Healthcare data safeguards (BAA available on Enterprise)
PCI DSS
Payment data — handled by Stripe (PCI L1 compliant)
We take security vulnerabilities seriously. If you discover a potential security issue in the DocuNile platform, please report it responsibly: