DocTracker

How DocTracker protects your documents

DocTracker is designed with a security-first architecture. All requests are authenticated, access to data is scoped to individual workspaces, and sensitive operations are validated on the server.

This page describes the security mechanisms that are currently implemented in the product.

Overview

Security at DocTracker is based on layered controls across identity, API validation, workspace isolation, and file handling. We combine authentication, authorization, input validation, and activity logging to reduce risk across the full document lifecycle.

Data protection

Sensitive account tokens, such as email verification and password reset tokens, are stored as hashes rather than plaintext. Expired tokens and sessions are cleaned up by scheduled jobs.

Database connections are configured with TLS and certificate verification. Integration credentials are encrypted before storage.

Authentication and account security

  • Email verification is required before access to protected areas.
  • Passwords are hashed using modern industry-standard algorithms.
  • Login and account recovery endpoints are rate-limited.
  • Optional MFA is available with authenticator app codes and one-time backup codes.
  • Session cookies are set as HTTP-only and sessions are validated server-side.
  • Password reset revokes active sessions for the account.

Access control

DocTracker enforces role-based access and server-side permission checks for sensitive operations. Administrative actions are restricted to workspace owners.

Data access is scoped to workspace boundaries in database queries. Client-facing document operations are additionally restricted to the authenticated client account.

Infrastructure security

The service is deployed on a managed cloud platform that provides infrastructure-level security controls.

Application secrets and integration credentials are configured through environment variables and are not hardcoded in runtime business logic.

File storage security

DocTracker supports cloud object storage and Google Drive integrations. Storage paths are namespaced by workspace.

Uploaded files are validated for allowed types and size and upload limits.

For direct object-storage uploads, short-lived signed upload URLs are used.

Audit logs

DocTracker records activity logs for key account, document, reminder, and billing events. Workspace owners can review these logs in the application.

Acceptance records are also stored with timestamp and request metadata to support accountability.

Responsible disclosure

If you discover a potential security issue, report it using the in-app Report bug form from an authenticated account. Please include reproduction steps and technical details so we can investigate quickly.

Please act in good faith and avoid accessing, modifying, or deleting data that does not belong to you. Any attempt to intentionally access data or systems without authorization may violate applicable laws.