Security

A private Vault for client document intake.

DokuTrak collects sensitive client documents through scoped upload links, encrypted object storage, server-side authorization, and an append-only audit trail. This page lists controls that exist in the product or production architecture today, and calls out what is still an operator checklist item.

AES-256 at rest in R2HTTPS via CaddyAppend-only audit logClerk authRedis-backed rate limits

Encrypted storage

Customer files are stored in Cloudflare R2. R2 encrypts objects at rest by default with AES-256, and the app is built around S3-compatible credentials plus presigned URLs instead of broad browser credentials.

TLS in front of the app

Production traffic reaches DokuTrak through Caddy, which terminates HTTPS for dokutrak.com and app.dokutrak.com and supports TLS 1.3.

Append-only audit log

The audit_logs table records security-sensitive activity with actor, organization, action, entity, timestamp, IP/user-agent context, sanitized metadata, and payload hashes. A Postgres trigger blocks UPDATE and DELETE on audit rows.

Secure upload link intake

External recipients upload through scoped secure upload links instead of creating accounts. Links expire, are validated server-side, are rate-limited, and are invalidated when the underlying request/link record is removed.

Account authentication

Team authentication is handled by Clerk. The API verifies Clerk JWTs server-side, resolves organization context before protected actions, and can enforce Clerk second-factor verification for paid workspaces.

Isolated runtime services

The production API, web app, marketing site, Postgres, and Redis run as separate Docker services. Postgres and Redis are on an internal Docker network and are not exposed through the public reverse proxy.

Subprocessors

Services used to operate DokuTrak

These vendors support authentication, storage, billing, transactional messaging, monitoring, and analytics.

ProviderPurpose
ClerkAuthentication, sessions, user profile, MFA/TOTP flows, and auth emails.
StripeBilling, checkout, subscriptions, invoices, and payment webhooks.
ResendTransactional business emails such as document requests and reminders.
Cloudflare R2S3-compatible object storage for uploaded customer documents.
SentryApplication error monitoring and production debugging context.
PostHog EUProduct analytics for usage and funnel events.
Mistral OCROCR stage for AI First-Pass Review when a workspace enables cloud AI processing.
OpenRouterDefault verdict-model route for AI First-Pass Review when cloud AI processing is enabled.

Report a security issue

Send reproduction steps, affected URLs, impact, and your preferred contact address. Do not send customer files, secrets, or destructive proof-of-concept payloads.

Email [email protected]

Security questions

These answers are limited to controls that are implemented in the codebase or known production topology.

What does the Vault metaphor mean?

DokuTrak uses Vault as a product metaphor for a private document collection space: professionals send a scoped upload link, clients upload requested files, and access is mediated by application permissions. It is not a claim that DokuTrak uses a hardware security module or a separate secrets-vault product for customer files.

How are uploaded files protected?

Files are stored in Cloudflare R2, which encrypts objects at rest by default with AES-256. The app issues scoped, expiring presigned URLs for upload and access. R2 bucket privacy and lifecycle toggles are tracked as operational checklist items.

How are client upload links protected?

Upload links are random tokens scoped to a document request. The API validates token format and expiry, applies route-level rate limits, and rejects expired or removed links.

Do you use multi-factor authentication?

DokuTrak uses Clerk for account authentication. The codebase includes paid-plan MFA enforcement based on Clerk second-factor verification, with the exact TOTP/session settings configured in the Clerk dashboard.

Who are DokuTrak subprocessors?

The current subprocessors are Clerk for auth, Stripe for billing, Resend for transactional email, Cloudflare R2 for file storage, Sentry for error monitoring, PostHog EU for analytics, and Mistral OCR plus OpenRouter for AI First-Pass Review when cloud AI is enabled by a workspace.

How do I report a security issue?

Email [email protected] with the affected URL or endpoint, reproduction steps, expected impact, and your preferred contact address. Do not send customer files, secrets, or destructive payloads.

Current limits

Claims we do not make

  • DokuTrak does not currently claim SOC 2, ISO 27001, HIPAA compliance, or BAA support.
  • Cloudflare WAF, R2 lifecycle policies, Hostinger account MFA, and security@ email routing are operational dashboard tasks and are not claimed complete here until verified.
  • A standalone upload-link revoke endpoint is not currently exposed; request deletion removes the linked upload-link record and invalidates that URL.
  • Cloudflare Workers AI is an evaluation candidate for the AI verdict stage and is not an active production subprocessor until selected after benchmark and legal gates.

Need product details before a trial?

Review the workflow first, then choose whether the controls fit your firm.