Security

Subdoc handles sensitive investor data, subscription documents, and e-signatures. Every layer of the platform is designed to protect that data.

Infrastructure

  • SOC 2-certified providers. Cloud-hosted on managed infrastructure including Supabase, Render, and Vercel.
  • Environment isolation. All environments use separate databases, credentials, and deployment pipelines. No infrastructure is shared between environments.
  • Minimal attack surface. Single API layer with no SSH access or direct database exposure.

Encryption

  • AES-256 at rest. All stored data is encrypted, including the database, documents, and backups.
  • TLS in transit. All connections are encrypted over HTTPS, including API, database, webhooks, and internal services.

Authentication & Access Control

  • Industry-standard authentication. Powered by Supabase Auth (SOC 2-certified) with Multi-Factor Authentication (MFA) support.
  • Role-based access control (RBAC). Granular, default-deny permissions enforced server-side on every API request.

Application Security

  • Input validation. All API inputs are validated and parameterized, preventing injection attacks.
  • File validation. Uploaded documents pass multi-layer verification before acceptance.
  • Rate limiting. Sensitive endpoints are rate-limited per authenticated user.
  • Automated scanning. Vulnerability scanning and dependency auditing run on every code push and on a weekly schedule.

AI & Data Privacy

  • PII redaction. Personal information is stripped before any data reaches external AI models.
  • No model training on client data. Our AI providers contractually commit to not using API-tier data for training.

Document Security

  • Encrypted, fund-scoped storage. Documents are stored in AES-256 encrypted, fund-specific paths.
  • E-signature verification. Integrated with Dropbox Sign (SOC 2-certified) with cryptographically verified webhooks.

Identity Verification (KYC/AML)

  • Per-fund KYC. Identity verification is configurable per fund based on compliance requirements.
  • Certified provider. Handled by Sumsub (SOC 2, ISO 27001).

Monitoring & Incident Response

  • Audit trail. Critical actions are logged to an immutable activity history.
  • Incident response. Structured process covering detection, containment, investigation, client notification, and remediation.

Learn More

For our detailed Security Whitepaper, Subprocessor List, or to complete a security questionnaire, contact us: security@subdoc.ai