Encrypted storage
Customer files are stored in Cloudflare R2. R2 encrypts objects at rest by default with AES-256, and the app is built around S3-compatible credentials plus presigned URLs instead of broad browser credentials.
Security
DokuTrak collects sensitive client documents through scoped upload links, encrypted object storage, server-side authorization, and an append-only audit trail. This page lists controls that exist in the product or production architecture today, and calls out what is still an operator checklist item.
Customer files are stored in Cloudflare R2. R2 encrypts objects at rest by default with AES-256, and the app is built around S3-compatible credentials plus presigned URLs instead of broad browser credentials.
Production traffic reaches DokuTrak through Caddy, which terminates HTTPS for dokutrak.com and app.dokutrak.com and supports TLS 1.3.
The audit_logs table records security-sensitive activity with actor, organization, action, entity, timestamp, IP/user-agent context, sanitized metadata, and payload hashes. A Postgres trigger blocks UPDATE and DELETE on audit rows.
External recipients upload through scoped secure upload links instead of creating accounts. Links expire, are validated server-side, are rate-limited, and are invalidated when the underlying request/link record is removed.
Team authentication is handled by Clerk. The API verifies Clerk JWTs server-side, resolves organization context before protected actions, and can enforce Clerk second-factor verification for paid workspaces.
The production API, web app, marketing site, Postgres, and Redis run as separate Docker services. Postgres and Redis are on an internal Docker network and are not exposed through the public reverse proxy.
Subprocessors
These vendors support authentication, storage, billing, transactional messaging, monitoring, and analytics.
| Provider | Purpose |
|---|---|
| Clerk | Authentication, sessions, user profile, MFA/TOTP flows, and auth emails. |
| Stripe | Billing, checkout, subscriptions, invoices, and payment webhooks. |
| Resend | Transactional business emails such as document requests and reminders. |
| Cloudflare R2 | S3-compatible object storage for uploaded customer documents. |
| Sentry | Application error monitoring and production debugging context. |
| PostHog EU | Product analytics for usage and funnel events. |
| Mistral OCR | OCR stage for AI First-Pass Review when a workspace enables cloud AI processing. |
| OpenRouter | Default verdict-model route for AI First-Pass Review when cloud AI processing is enabled. |
Send reproduction steps, affected URLs, impact, and your preferred contact address. Do not send customer files, secrets, or destructive proof-of-concept payloads.
These answers are limited to controls that are implemented in the codebase or known production topology.
DokuTrak uses Vault as a product metaphor for a private document collection space: professionals send a scoped upload link, clients upload requested files, and access is mediated by application permissions. It is not a claim that DokuTrak uses a hardware security module or a separate secrets-vault product for customer files.
Files are stored in Cloudflare R2, which encrypts objects at rest by default with AES-256. The app issues scoped, expiring presigned URLs for upload and access. R2 bucket privacy and lifecycle toggles are tracked as operational checklist items.
Upload links are random tokens scoped to a document request. The API validates token format and expiry, applies route-level rate limits, and rejects expired or removed links.
DokuTrak uses Clerk for account authentication. The codebase includes paid-plan MFA enforcement based on Clerk second-factor verification, with the exact TOTP/session settings configured in the Clerk dashboard.
The current subprocessors are Clerk for auth, Stripe for billing, Resend for transactional email, Cloudflare R2 for file storage, Sentry for error monitoring, PostHog EU for analytics, and Mistral OCR plus OpenRouter for AI First-Pass Review when cloud AI is enabled by a workspace.
Email [email protected] with the affected URL or endpoint, reproduction steps, expected impact, and your preferred contact address. Do not send customer files, secrets, or destructive payloads.
Current limits
Review the workflow first, then choose whether the controls fit your firm.