DocBeacon is designed with security and privacy-by-default principles. This page summarizes our current security controls, data protection measures, and compliance posture based on our implementation and hosting model. It complements (but does not replace) our Privacy Policy and Terms of Service.

1. Data Storage and Encryption

Storage Providers: DocBeacon supports multiple storage backends configured via environment variables. For Amazon S3 or Cloudflare R2, we generate short-lived presigned URLs for secure access to private objects.
Server-Side Encryption (S3/R2): Where S3/R2 is used, server-side encryption with AES256 is enabled for stored objects as part of our default configuration.
Cloudflare R2: When using Cloudflare R2, we implement S3-compatible API with presigned URLs for secure access. All uploads are private by default and accessed through time-limited signed URLs.
Hashing and Integrity: For uploaded documents, we calculate content hashes (e.g., SHA-256) to support integrity checks and deduplication where applicable.
Transport Security: All traffic to the DocBeacon application is served over HTTPS using TLS. When accessing files via presigned URLs, the links are likewise served over HTTPS.

2. Authentication and Session Security

Passwords: We hash passwords using bcrypt with a cost factor of 12 by default (configurable), and we never store plaintext passwords.
JWT Sessions: We issue JSON Web Tokens (JWT) with a default expiration of 7 days. Tokens are signed with a secret configured via environment variables. Rotation or shorter lifetimes can be configured based on your risk profile.
Session Store: We maintain session records in our database to support login state and revocation workflows, and to enforce lockouts where applicable.
Login Protection: We enforce account lockouts after repeated failed attempts (default max attempts 5; default lockout 15 minutes). These values are configurable.
OAuth: We support Google OAuth and implement CSRF protections and redirect URL validation as part of the provider flow.

3. Cookies and Consent

Essential Cookies: We use essential cookies required to operate the Service (e.g., authentication, session continuity, security).
Analytics: We may use privacy-conscious analytics with appropriate consent or opt-out mechanisms depending on jurisdiction.
Consent Banner: Where required, we display cookie consent notices and honor your preferences for non-essential cookies.

4. Document Sharing and Access Controls

Download Controls: Owners can disable downloads for shared documents; when disabled, the UI and underlying routes restrict direct file export.
Dynamic Watermark: Optional dynamic watermarks can be applied to deter unauthorized sharing.
Link Expiration: Share links can be configured to expire after presets (e.g., 3 days, 1 week, 1 month) or a custom date.
Password Protection: We support password gating for site access and account-level flows. For document-level access, use link expiration, download disablement, and watermarking today; additional share-password features may be introduced based on demand.
View-Only Mode: Certain links can be restricted to preview-only experiences to reduce data exfiltration risk.
Presigned URLs (S3/R2): For S3/R2 storage, downloads are served via presigned URLs with a short expiration to prevent long-lived public exposure.

5. Auditability and Logging

Activity Logs: We maintain logs of key user actions (login, document upload, sharing) for security monitoring and incident response.
Access Logs: Server access logs are maintained for troubleshooting and security analysis.
Retention: Log retention periods are configurable and follow data minimization principles.

6. Infrastructure Security

Hosting: DocBeacon can be deployed on various cloud platforms with appropriate security configurations.
Database Security: Database connections use encrypted channels and access is restricted to authorized services.
Environment Variables: Sensitive configuration (API keys, secrets) is managed through environment variables and not stored in code.
Updates: We maintain current versions of dependencies and apply security patches promptly.

7. Incident Response

Security Incidents: We have procedures for identifying, containing, and responding to security incidents.
Notification: In case of data breaches affecting personal information, we will notify affected users and relevant authorities as required by applicable law.
Contact: Security concerns can be reported to security@docbeacon.io.

8. Compliance and Certifications

GDPR: DocBeacon implements privacy-by-design principles and provides tools for data subject rights under GDPR.
Data Processing Agreement (DPA): For enterprise customers, we can provide a Data Processing Agreement upon request.
SOC 2: We are working toward SOC 2 Type II compliance and will update this page as certifications are obtained.

9. Data Retention and Deletion

User Control: Users can delete their documents and account data at any time through the application interface.
Automated Cleanup: We implement automated cleanup processes for expired shares and temporary files.
Backup Retention: Backup data is retained according to our backup policy and is securely deleted when no longer needed.

10. Contact and Updates

This security page is updated regularly to reflect our current practices. For specific security questions or to report vulnerabilities, please contact us at security@docbeacon.io.

This Security & Compliance page should be read in conjunction with our Privacy Policy and Terms of Service.

DocBeacon is operated by VIOware Technologies Co.