Security Overview
Learn how Document Stack protects your data, templates, and generated documents.
Security First
Document Stack is designed with security at every layer. Your templates, data, and generated PDFs are protected through encryption, access controls, and secure infrastructure.
Encryption
- In transit — All communication uses TLS 1.2+ (HTTPS). No data is ever sent unencrypted.
- At rest — Templates, data, and generated PDFs are encrypted at rest using AES-256.
- API keys — Stored as hashed values; plaintext keys are never stored after creation.
Authentication
- Session-based auth — Dashboard access uses secure, HttpOnly session cookies
- API key auth — Programmatic access uses Bearer token authentication
- SSO support — Enterprise SSO via SAML/OIDC (see SSO & Authentication)
- Password hashing — User passwords are hashed with bcrypt
Access Control
Document Stack uses organization-based access control:
- Every resource (template, project, API key) belongs to an organization
- Users can only access resources within their organizations
- Role-based permissions: Owner, Admin, Member (see Team Roles)
- API keys are scoped to the organization that created them
Organization Isolation
Data is strictly isolated between organizations. There is no way for one organization to access another's templates, data, or generated documents.Infrastructure Security
- Hosted on SOC 2 compliant cloud infrastructure
- Network isolation between services
- Regular security patching and updates
- DDoS protection and rate limiting
- Helmet security headers enabled
- CORS restricted to authorized domains
API Security
- Rate limiting to prevent abuse (see Rate Limits)
- Request body size limits (5MB maximum)
- Input validation with strict schemas (Zod)
- No SQL injection — all queries use parameterized ORM (Drizzle)
- CORS whitelist prevents unauthorized origins
Data Handling
- Template data sent via API is used only for PDF generation
- Generated PDFs are stored temporarily and purged automatically
- No data is shared with third parties
- You control data retention through your usage patterns
Compliance
Document Stack is designed to help you meet common compliance requirements:
| Standard | Status |
|---|---|
| GDPR | Compliant — data processing controls, deletion support |
| SOC 2 Type II | Infrastructure provider compliant |
| HIPAA | Available with BAA on enterprise plans |
| PCI DSS | Not applicable — we don't process payments directly |
Sensitive Data
Avoid sending highly sensitive data (SSNs, credit card numbers) in API payloads unless absolutely necessary. If you must, contact us about enhanced security options.Security Reporting
If you discover a security vulnerability, please report it responsibly:
- Email: security@documentstack.dev
- Do not disclose publicly until we have addressed the issue
- We acknowledge reports within 48 hours
Next Steps
- Data Privacy — Privacy policies and data handling
- API Key Security — Secure your API keys
- Audit Logging — Track activity in your org