Security

Last updated: June 2026

1. Data transmission

All connections to DocAI are encrypted in transit using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS. Strict-Transport-Security (HSTS) headers are served once a valid TLS certificate is in place.

2. Authentication

• User authentication is handled by Clerk (clerk.com), a third-party identity provider. DocAI never stores raw passwords. Clerk issues short-lived JWT tokens that are verified on each request.
• Admin authentication uses PBKDF2-SHA256 password hashing with HttpOnly, SameSite=Strict session cookies. Admin sessions time out after the configured session TTL.
• API keys are generated with secrets.token_urlsafe. Only a SHA-256 hash of the key is stored — the full key is shown only once at creation and cannot be recovered. Keys can be revoked immediately. (API-key authentication is in beta and not yet accepted by extraction/history routes — use Clerk session authentication for now.)

3. Webhook security

Each webhook endpoint is assigned a per-webhook HMAC-SHA256 signing secret. Every delivery includes a X-DocAI-Signature: sha256=… header so your endpoint can verify that the payload came from DocAI and was not tampered with in transit.

Verification example (Python):

import hashlib, hmac

def verify_signature(secret: str, payload: str, timestamp: str, header_sig: str) -> bool:
    message = f"{timestamp}.{payload}"
    expected = hmac.new(secret.encode(), message.encode(), hashlib.sha256).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", header_sig)

4. Document storage

• Uploaded files are processed in temporary server memory and never written to permanent storage. The file itself is deleted immediately after processing.
• Extraction results (fields, summaries, OCR text) may be saved to history if you click "Save to History." They are stored in the database under your user account.
• Saved analyses are retained for the configured retention period (default: 90 days) and can be deleted by you at any time.
• We do not train models on your documents.

5. LLM / OCR subprocessors

Document content (page images or OCR text) is sent to an AI provider (currently OpenAI or OVH AI Endpoints, as configured by the administrator) for field extraction. These providers act as subprocessors. You should review their data processing terms before uploading sensitive documents.

Beta warning: Do not upload medical records, identity documents, payroll information, or highly regulated documents during the beta period.

6. HTTP security headers

DocAI sets the following security headers on all responses:

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Strict-Transport-Security (HTTPS only)
• Content-Security-Policy
• Referrer-Policy: strict-origin-when-cross-origin
• Cross-Origin-Opener-Policy: same-origin

7. Responsible disclosure

If you discover a security issue, please email security@synairo.com. We aim to respond within 72 hours and address confirmed issues within 30 days. Please do not disclose publicly until a fix is available.

8. Infrastructure

DocAI is deployed on a private VPS with automated TLS via Caddy. Database and file storage are not exposed to the internet. Backups are encrypted at rest.