Trust

Security at DocParse

The practices that protect your documents and data. Forward this page to your IT or security team — and email hello@docparse.in with any question; a founder answers.

Encryption

All traffic to the dashboard, API and webhook endpoints is encrypted in transit with TLS. Documents and extracted data are encrypted at rest by our storage providers. File downloads use short-lived signed URLs that expire after one hour — there are no permanently public file links.

AI data handling

Documents are sent to our large-language-model provider (Google Gemini) solely to extract or classify the data you requested. The structured output comes back to your workspace, and that's it — your documents are never used to train models, by us or by any third party, and we never sell your data.

Access control

Access to production systems is restricted to the founders. API keys are stored as SHA-256 hashes — we cannot see a key after it's created — and every key can be rotated or revoked instantly from the dashboard, with usage visible per key. Each workspace's data is scoped to its owner; one customer can never query another's documents.

Webhooks you can verify

Every outbound webhook is signed with HMAC-SHA256 using a per-endpoint secret, following the Standard Webhooks specification, and carries a timestamp to protect against replay. Your systems can cryptographically verify that every delivery came from us.

Payments

Payments are processed by our merchant of record, Dodo Payments. Card numbers never touch our servers — we never see or store them.

Infrastructure & subprocessors

DocParse runs on a small, audited set of providers: Google Cloud (AI processing & hosting), Supabase (database & storage), Vercel (web hosting), Resend and Brevo (transactional and inbound email), Dodo Payments (payments), Sentry (error monitoring) and PostHog (product analytics). The full list and how each is used is in our Privacy Policy.

Retention & deletion

Your documents stay in your workspace for as long as your account is active. You can delete individual documents, batches or whole extractions from the dashboard at any time — deletion is immediate. Full account deletion is completed within 30 days of request.

Monitoring & reliability

Errors are tracked in real time and failed document processing is never charged. Processing retries transient failures automatically, and anything that can't be processed cleanly lands in the review queue instead of silently producing bad data.

Reporting a vulnerability

If you believe you've found a security issue, email hello@docparse.in with the details. We read every report, respond quickly, and will credit researchers who report responsibly.