Security at DocStow

Security is not a feature at DocStow — it's a precondition. Every design decision we make is filtered through one question: "would I be happy to store my own passport here?" The answer has to be yes, or we don't ship.

DocStow is operated by Infadale Solutions, New Zealand. NZBN: 9429053662200.

Encryption

At rest

Documents and application data are protected using provider-managed encryption at rest, encrypted database and storage services, and strict access controls around production systems.

In transit

All traffic between your device and DocStow is served over HTTPS. We enforce HSTS with preload so browsers refuse to connect over plain HTTP once they have seen the site.

Data residency

Your documents are stored in Supabase's Sydney (ap-southeast-2) region, hosted on AWS. We chose this region for proximity to New Zealand and Australian households. Some service providers may process limited operational, billing, email, or AI-extraction data in other regions as described in the Privacy Policy.

Database isolation & Row Level Security

DocStow runs on PostgreSQL with Row Level Security (RLS) enforced at the database layer. Every query — even if it came from a bug in our application code — is automatically filtered so that you can only ever see documents and data belonging to your own household. This is a belt-and-braces approach: even in the unlikely event of an application-level vulnerability, the database itself will refuse to return other users' data.

Authentication

• Passwords are stored as salted, one-way hashes using industry standard algorithms (bcrypt-family). We cannot see or recover your password, even internally.
• Session tokens are short-lived, signed, and rotated automatically.
• Multi-factor authentication (MFA) tools are available to users, and we continue to expand account-protection options over time.
• Rate limiting is applied to sensitive mutation and authentication surfaces, with additional protections supplied by Supabase Auth.

Access control

Access to production systems at DocStow follows the principle of least privilege. Production access is limited to people who need it to operate and support the service. Customer documents are not accessed for support unless required to resolve a request and authorised by the customer.

Sharing & household permissions

When you invite a family member to your household, they can access the documents and cards available to that household role. You can revoke household access from the family and settings areas.

Temporary secure links are intended for short-lived document sharing when a record needs to be provided outside the household. Treat these links like any other sensitive document access: share only with the intended recipient and revoke or let them expire when the task is done.

File validation and document handling

DocStow validates uploaded files by size, type, and server-side file inspection before storage. This helps reduce accidental uploads of unsupported files and adds a security boundary beyond browser-only checks. Supported document workflows are designed for common household records such as passports, insurance policies, warranties, receipts, vehicle paperwork, medical documents, school records, and property documents.

Customer-controlled data actions

Customers can export account data and request account deletion through settings. These controls are part of the security model because sensitive household records should not be trapped inside a service. Export and deletion flows are also covered in our Data Protection statement and Privacy Policy.

Backups & disaster recovery

Our managed infrastructure provides backup and recovery controls for database and storage services. Account deletion removes customer data from active systems, with backup retention handled according to our Privacy Policy and provider retention controls.

Secure software development

• Changes are reviewed and validated before production deployment.
• Dependency and platform updates are reviewed for known vulnerabilities and security advisories.
• Local linting, build checks, and secret hygiene checks are part of the release workflow.
• Public security headers, redirect rules, and deployment configuration are version-controlled.
• All production secrets are stored in a managed secret store, never in source code.

No AI training on your data

We do not — and will never — use your documents to train machine learning models. When you opt in to our AI-powered metadata extraction features, the content you choose to process is sent to OpenAI through its business API workflow. We minimise what is sent, treat AI extraction as optional, and rely on vendor terms that do not permit your content to be used to train public models. You can turn AI features off at any time.

Responsible disclosure

If you believe you've found a security vulnerability in DocStow, please report it confidentially to security@docstow.com. We ask that you give us a reasonable window to investigate and fix the issue before any public disclosure. We gratefully acknowledge responsible reporters and are working on a formal bug-bounty program.

Incident response

In the unlikely event of a security incident that affects customer data, we will notify affected users and the New Zealand Office of the Privacy Commissioner (and other relevant authorities) as required by the Privacy Act 2020 and applicable international laws. We review incident-response procedures as the platform evolves.

Security improvements

Current security improvement areas include broader audit readiness, stronger customer-facing security controls, and an ongoing bug-bounty program.

Public security updates and operational trust improvements are also summarised on the Security Trust Center.

Questions?

Security questions, audits or vendor reviews? Email security@docstow.com. For account support rather than vulnerability reporting, email support@docstow.com.