Security

Your clients trust you with their documents. Here's how we protect them.

Zendoc is built for firms that handle sensitive client files every day. This page describes exactly what we do — concrete mechanisms, not badges — so you can evaluate us honestly.

How your documents are protected

  • All traffic is served over HTTPS with a strict security-header policy (HSTS, CSP, frame denial, content-type protection).
  • Documents are encrypted at rest in Cloudflare R2 object storage; application data lives in Convex. Both providers maintain their own compliance programs.
  • Every file is scoped to your workspace. Role-based access controls determine which team members can see client documents.
  • Clients access their portal through unique, per-engagement tokens — no shared logins, no passwords for clients to leak.

Accountability and audit

  • Signed documents carry a tamper-evident audit trail: IP address, timestamp, user agent, and per-field events, flattened into the final PDF server-side.
  • Workspace activity is logged — uploads, reviews, sends, and settings changes are attributable to a person and a time.
  • Nothing is hard-deleted by day-to-day use: deletions are soft and preserved for audit until purged.

How the AI handles your data

  • Zendoc's document review runs on Anthropic's Claude models via API. API inputs are not used to train Anthropic's models.
  • We do not train models on your documents. Ever.
  • AI review is suggestion-only: it flags potential issues (wrong document type, illegible scans, missing pages) for your staff to review. It does not reject client submissions on its own, and nothing AI-drafted reaches a client without a human sending it.
  • AI usage is metered per workspace with a monthly spend cap you control.

Authentication and account security

  • Team authentication is handled by WorkOS: email/password, Google or GitHub OAuth, and magic links for the client portal.
  • Outbound messaging honors suppression lists, per-customer throttles, and SMS STOP/START compliance out of the box.

What we don't claim

  • We are not yet SOC 2 certified — that program starts once our first firms are live, and we'd rather tell you that plainly than imply otherwise.
  • If your firm needs a DPA, a security questionnaire filled in, or specifics on data residency before a pilot, email us — we answer those directly and honestly.

Questions before a pilot?

Security reviews, DPAs, and data-handling questions go straight to the founder: security@zendoc.ai .