Security at ArchDoc
Your data and your team’s data are important. We take security seriously and are committed to protecting your information with industry-standard practices.
Last updated: February 22, 2026
Our Security Practices
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect all HTTP traffic automatically.
Encryption at Rest
Databases and file storage are encrypted at rest using AES-256. Backups are encrypted before being written to storage.
Authentication & Access Control
Passwords are hashed using bcrypt with a work factor tuned for modern hardware. We support multi-factor authentication (MFA). OAuth tokens for GitHub integrations are encrypted before storage.
Role-Based Access Control (RBAC)
Every workspace enforces fine-grained role-based permissions. Users can only access documents and features permitted by their assigned role. Admin actions are logged for audit purposes.
Monitoring & Logging
We maintain detailed audit logs for authentication events, admin actions, and sensitive data access. Logs are retained for up to 12 months and reviewed for anomalous activity.
Infrastructure Security
Our infrastructure is hosted on industry-leading cloud providers. We use private networking, firewall rules, and principle-of-least-privilege IAM policies to isolate and protect production systems.
Responsible Disclosure / Vulnerability Reporting
We appreciate the work of security researchers and the broader security community. If you discover a vulnerability in our systems or application, please disclose it to us responsibly before public disclosure so we can address it promptly.
Please report security vulnerabilities by emailing us at contactarchdoc@gmail.com. Include as much detail as possible: steps to reproduce, potential impact, and any supporting materials (screenshots, proof-of-concept code). We will acknowledge receipt within 3 business days and aim to provide an initial assessment within 10 business days.
Our commitments to you:
- We will not pursue legal action against researchers who follow responsible disclosure principles.
- We will work with you to understand and validate the issue.
- We will keep you informed of our progress toward a fix.
- We will publicly acknowledge your contribution (with your permission) after the issue is resolved.
Please do not: access or modify data belonging to other users, perform denial-of-service attacks, spam users, or disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it.
Data Privacy & Compliance
Our security programme is designed to support compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act / CPRA (CCPA), and other applicable data protection laws.
- Access minimisation: employees access production data only when required to resolve support issues or incidents, under strict internal policies.
- Data processing agreements: all sub-processors handling personal data are under written DPAs that meet GDPR requirements.
- Breach notification: in the event of a personal data breach, we will notify affected users and relevant supervisory authorities within the timeframes required by law (72 hours under GDPR; without unreasonable delay under CCPA).
- Data minimisation: we collect only the personal data necessary to provide the Service.
For full details of how we handle your personal data, please read our Privacy Policy.
Key Sub-processors
We rely on the following third-party sub-processors to deliver the Service. Each is subject to a Data Processing Agreement and appropriate security standards.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Cloud hosting provider | Infrastructure, databases, file storage | United States / EU |
| Payment processor | Billing and subscription management | United States |
| Google LLC (Analytics) | Aggregated usage analytics | United States |
| Google LLC (Ads) | Conversion tracking and advertising | United States |
| Email delivery provider | Transactional and notification emails | United States |
| GitHub, Inc. | Repository sync (OAuth, API) | United States |
Contact Our Security Team
For security inquiries, vulnerability reports, or questions about our security programme, reach out to us directly.
Security disclosures: contactarchdoc@gmail.com
General privacy contact: privacy@archdoc.dev
Website: https://archdoc.dev