Security

Your clients' data is sensitive. We treat it that way.

DocsCheck is built for regulated legal professionals handling personal immigration data. Security is not an afterthought — it is built into every layer of the platform.

Authentication & access control

Two-factor authentication (2FA)

TOTP-based 2FA available for all staff and admin accounts. Recovery codes provided on setup. Admin accounts can enforce 2FA organisation-wide.

One-time passwords for clients

Immigration clients log in via OTP sent to their registered email — no password to remember or leak.

Session-based authentication

Server-side sessions stored in PostgreSQL. Sessions expire on logout. No tokens stored in localStorage or cookies beyond the session identifier.

Rate limiting & brute-force protection

Authentication endpoints are rate-limited. Accounts are automatically locked after 3 failed login attempts, requiring a password reset.

Role-based access control

Admin, staff, billing, and document user roles. Staff see only their assigned clients. Administrators control all visibility settings per user.

Forced password change

Accounts created via API are required to change their password on first login, preventing credential reuse from bulk provisioning.

Data isolation & storage

Multi-tenant data isolation

Every organisation operates in a fully isolated data environment. No query can return data belonging to another organisation. Enforced at the database query level.

Google Cloud Storage

All uploaded documents stored on Google Cloud Storage with server-side encryption at rest. Files are accessed via signed, time-limited URLs — never exposed directly.

Encryption in transit

All connections to DocsCheck are encrypted via HTTPS/TLS. HTTP connections are redirected to HTTPS automatically. No unencrypted data transmission.

Password hashing

Passwords are stored as bcrypt hashes with a cost factor of 12. We cannot read your password — only verify it. Password resets use time-limited one-time tokens.

Audit & monitoring

Login audit log

Every login attempt is logged with IP address, user agent, timestamp, and result (success/failure). Accessible to organisation administrators.

Action audit trail

All significant admin and staff actions are logged: document uploads, approvals, rejections, client creations, staff assignments, and letter generation.

Daily health monitoring

Automated daily health checks monitor platform availability, error rates, and security indicators. Alerts are sent to the operations team on anomaly detection.

Usage monitoring

API calls, email sends, AI analyses, and storage usage are tracked per organisation. Anomalous usage patterns trigger review.

Infrastructure

Document storage with server-side encryption at rest
Serverless Postgres with automatic backups and point-in-time recovery
Application hosting with automatic deployments and environment isolation

Responsible disclosure

If you discover a security vulnerability in DocsCheck, please report it to us privately at security@docscheck.co.uk before disclosing it publicly. We will acknowledge receipt within 48 hours, investigate promptly, and aim to resolve confirmed issues within 30 days. We do not currently offer a bug bounty programme but we are grateful for responsible disclosures.

UK GDPR compliance

DocsCheck is designed to support your compliance obligations as a data controller under UK GDPR. Key measures include multi-tenant data isolation, data subject rights support, data processing agreements with all sub-processors, and breach notification procedures. See our GDPR page and Privacy Policy for full details.

Questions

For security questions or to report a vulnerability: security@docscheck.co.uk
For data protection queries: privacy@docscheck.co.uk
Zayn Productions Ltd · 1 Alvin Street, Gloucester, England, GL1 3EJ · Company No. 16892199

We use essential cookies to keep the platform running. No tracking or advertising cookies. Cookie policy