Security Overview

Staff accounts require multi-factor authentication (MFA). Sign-in is handled through Supabase Auth with email credentials, and staff cannot reach the application without passing MFA. Magic links sent to clients are single-use, short-lived, and revocable.

Every firm's data is strictly isolated at the database level using Postgres row-level security (RLS), enforced on every query. The organisation ID is set as a session variable at the start of each transaction and all tenant-scoped queries are bound to it. A staff member from one firm cannot read or modify another firm's records, clients, or files — even if they guess an ID.

All uploads are stored in private buckets (Supabase Storage) — there are no public file URLs. Every upload and download uses a short-lived signed URL generated server-side, which expires after a few minutes and cannot be reused. File type and size are validated server-side before an upload is accepted, and uploaded files are malware-scanned before any staff member can review or download them.

All traffic between users and NeuDocs is encrypted with TLS (HTTPS). We enforce HTTPS and set HTTP Strict Transport Security (HSTS); plain-HTTP connections are redirected.

Client upload links are single-use tokens — once accessed, the token is consumed and cannot be replayed. Clients never create an account, and a portal link grants access only to the specific document request it was issued for; it exposes no other firm or client data.

NeuDocs keeps an append-only audit log of key events: authentication, link access, file uploads and downloads, review actions, reminder sends, exports, and admin changes. Each record includes a timestamp, actor, and action. Raw file contents and secrets are never written to logs.

Standard security headers are set on all responses, including X-Content-Type-Options, X-Frame-Options, and a Content Security Policy baseline.

NeuDocs is early-stage. We do not currently hold SOC 2, ISO 27001, HIPAA, or any other third-party certification, and we avoid marketing terms like “bank-level” or “enterprise-grade.” The controls described here are the actual controls implemented — no more. If your firm has specific compliance requirements, evaluate the controls listed here against them before proceeding.

Found a vulnerability or have a concern? Email support@neudocs.app, and please give us reasonable time to investigate before any public disclosure. See our Vulnerability Disclosure policy for details.