SoftDocket

Legal

Data security

The technical and operational controls SoftDocket uses to protect customer data. A detailed companion to the public Security page. Last updated June 25, 2026.

This page describes how SoftDocket protects customer data across the application, infrastructure, and operations layers. It is a public, marketing-grade summary; the authoritative description is in the Data Processing Addendum (DPA) we sign with each Enterprise customer.

1. Encryption

  • In transit: TLS 1.2+ for every public endpoint; HSTS preload enrolled; modern cipher suites only.
  • At rest: AES-256 disk encryption for application databases, object storage, and backups.
  • Application-level: sensitive fields (passwords, payment tokens, secret API keys) hashed or encrypted in addition to disk-level protection.
  • Key management: managed KMS; automatic rotation; envelope encryption for sensitive blobs.

2. Tenant isolation

  • Row-level tenant ID enforced in every application query.
  • Separate per-tenant signing keys for outbound webhooks.
  • Enterprise option: dedicated tenant + dedicated database; private VPC / on-prem available.
  • Authoritative isolation tests run on every release; tenant-crossing bugs are P0 with public post-mortems.

3. Access control

  • SSO: Google + Microsoft OIDC included; SAML + SCIM on Enterprise.
  • RBAC: 20+ built-in roles; custom roles on Enterprise.
  • MFA: required for admin roles, optional for others. WebAuthn supported.
  • Internal access: SoftDocket engineering accesses customer data only with documented break-glass procedure, full audit trail, and customer notification on a defined cadence.

4. Monitoring + audit

  • Centralised, append-only audit log of every administrative action; default 1-year retention, 7 years on Enterprise.
  • Application + infrastructure telemetry shipped to a SIEM; alerting on anomalous access patterns.
  • Read-only audit-log export available on Enterprise for customer SOC ingestion.

5. Vulnerability management

  • Dependency scanning + SAST on every PR; high-severity findings block merge.
  • DAST scanned weekly against staging.
  • Third-party penetration test annually (cadenced from R1 S9.5 per RELEASE_PLAN §H.9). Summary letter available under NDA.
  • Coordinated disclosure: report to [email protected]. Safe-harbour terms on the public Security page.

6. Backup, retention, deletion

  • Encrypted, geographically separated daily backups; 30-day retention; restore tested quarterly.
  • Per-data-class retention schedule documented in the DPA.
  • Customer-initiated export anytime in standard formats (CSV / JSON / SQL dump on request).
  • Tenant deletion: hard-delete within 30 days of contract end (or shorter on request), with deletion certificate.

7. Data residency

  • Default: India region (Mumbai / Hyderabad availability zones).
  • Enterprise: EU, US, or sovereign-cloud regions on request.
  • No customer data leaves the chosen region for primary processing; transactional support metadata may cross regions per the DPA.

8. Incident response

  • 24×7 on-call for severity-1 incidents; documented runbooks; quarterly tabletop exercises.
  • Confirmed personal-data breach: customer notification within 72 hours (DPDP / GDPR aligned).
  • Public post-mortems for material customer-facing incidents.

9. Business continuity

  • Multi-AZ production deployment; documented RTO 4 hours, RPO 1 hour (Enterprise).
  • Quarterly DR drills with documented results.
  • BCP / DR plan summary available under NDA.

For SOC 2 reports, CAIQ + SIG Lite responses, pen-test summaries, sub-processor list, DPA, MSA, and BCP / DR plan summary, email [email protected].