Security & Compliance

Built for firms that treat
client confidentiality as the job.

AES-256 encrypted. EU-hosted. GDPR-compliant. Full audit log on every action. Because the cost of a leak in our line of work is not a bad quarter — it is a bar complaint.

AES-256TLS 1.3GDPREU-hostedSOC 2 in progress

Encryption at rest and in transit

Every file uploaded to DokuTrak is encrypted with AES-256 before being written to storage. TLS 1.3 for every network hop. Encryption keys are managed via Cloudflare R2 server-side encryption, rotated on a regular cadence.

EU-hosted infrastructure

Our production infrastructure runs on a dedicated Hostinger VPS in Paris, France. Database, application, and file storage are all in the EU. No data ever crosses to the US except for external services your firm already uses (Clerk for auth, Resend for email delivery) — each with their own DPAs.

GDPR-compliant by default

Right to access, right to deletion, data portability, and data minimization are built into the product. You can export your entire workspace as a zip file at any time from the dashboard. On cancellation, data is fully deleted from backups within 90 days per our retention policy.

Full audit log

Every action in DokuTrak is logged: who sent a request, who uploaded a file, who accepted or rejected it, who downloaded it, who shared it. The log is immutable and available to every admin in your workspace. Export as CSV for internal compliance reviews.

Authentication you control

DokuTrak uses Clerk for team-side authentication, supporting email + password, magic link, and Google SSO. SSO/SAML with your identity provider is available on request for firms with existing identity infrastructure. Clients authenticate via Magic Link tokens that expire after the document is delivered — they never create an account.

Revocable access

If a Magic Link ends up in the wrong inbox, you revoke it in one click and DokuTrak invalidates it immediately. You regenerate a new link to the correct recipient. Every revocation is logged in the audit trail.

Security incident notification

In the unlikely event of a confirmed security incident affecting your data, we notify you within 72 hours as required by GDPR Article 33. We also publish a post-mortem within 14 days of resolution, detailing root cause and remediation.

Certifications in progress

SOC 2 Type II audit is scheduled for Q3 2026. ISO 27001 will follow. Until then, we publish our security posture in detail, operate with the same controls a SOC 2 audit would require, and make our security documentation available on request under NDA.

AI document validation

DokuTrak uses Together AI with Llama 4 Scout for document type and field suggestions. Provider-side retention is configured for 0 days, and requests are not used for model training.

AI never finalizes a document. Every extraction is shown as an AI suggestion and requires human confirmation before the document is approved.

Provider
Together AI, Llama 4 Scout
Retention
0 days at the AI provider
DPA
Available on request
Eval precision
Pending pre-launch eval, target >=90% doc-type precision

Need our full security package?

SIG Lite responses, DPA, subprocessor list, and architecture diagrams available on request under NDA. Typical turnaround: 2 business days.

Email [email protected]

Security questions

Where is my data stored?

All customer data is stored in the European Union. Our VPS runs in a Hostinger data center in Paris, France. File storage uses Cloudflare R2 with the region pinned to EU-West. We do not use US-region services for customer data storage.

Is DokuTrak HIPAA compliant?

DokuTrak is not currently HIPAA-compliant and we do not sign BAAs. If your workflow requires handling Protected Health Information subject to HIPAA, DokuTrak is not the right tool. We serve law firms, accountants, and professional service firms with GDPR-grade requirements, not PHI workflows. HIPAA compliance is on our 2027 roadmap if demand supports it.

Can my clients trust the Magic Link upload process?

Yes. Magic Links are scoped, time-limited tokens: they expire after the document is uploaded, they cannot be reused, and they only grant upload access to the specific request. The upload page itself is served over HTTPS with strict transport security. No client data is visible from the link — it only opens an upload interface tied to one specific request.

What happens if I leave DokuTrak?

You export your workspace — documents, requests, metadata, audit log — as a zip file from the dashboard. The export is available for 30 days after cancellation. After day 30, all active data is deleted. Within 90 days, data is also purged from backups. We send you a deletion confirmation email.

Do DokuTrak employees access my documents?

No, not under normal operation. Our engineering team does not have read access to customer document contents. In the event of a support ticket that specifically requires access — and only with your explicit written approval — a senior engineer gains time-limited access that is logged in your audit trail.

How do you handle subprocessors?

We publish our subprocessor list at dokutrak.com/legal/subprocessors. Current subprocessors include: Hostinger (infrastructure), Cloudflare (R2 storage, DNS), Clerk (team-side auth), Resend (email delivery), Stripe (payments), and Together AI (document validation). Each has a DPA with DokuTrak. We notify customers via email 30 days before adding a new subprocessor.

Try it on your real workflow. $1 for 14 days.

If security is the reason you have not switched from email + Dropbox, DokuTrak is the upgrade.

Start trial for $1See all features