Legal
Security
Last updated May 7, 2026
Security is not a feature at DossFox — it's the floor. The dossiers our customers entrust to us contain identity documents, financial records, and confidential client material. We treat them accordingly.
Infrastructure
- Hosted on AWS, region pinned per customer (default eu-west-1).
- Cloudflare in front of every origin; DDoS mitigation always on.
- Origin TLS via Cloudflare Origin CA, mTLS optional on Scale.
- Daily encrypted backups with 35-day retention.
Encryption
- TLS 1.3 in transit. HSTS preloaded.
- AES-256-GCM at rest. Per-workspace data encryption keys.
- Customer-managed keys (BYOK) on Scale.
Access control
- SAML / OIDC SSO on Team and Scale.
- Mandatory MFA for DossFox staff. Hardware-key only on production.
- Just-in-time privilege escalation; every action logged and reviewed.
Audit & compliance
- GDPR-aligned by design.
- SOC 2 Type II — target completion Q3 2027.
- ISO 27001 — target 2028.
- Per-workspace immutable audit log; one-click export.
Vulnerability disclosure
Found something? Email [email protected] (PGP available on request). We acknowledge within 24 hours and aim to ship a fix within 7 days for high-severity issues. Researchers acting in good faith are not pursued and are recognised in our hall of fame.
Subprocessors
- AWS — hosting (EU).
- Cloudflare — edge & TLS (global).
- Stripe — billing (US, SCC).
- Postmark — transactional email (EU).
- Sentry — error monitoring (EU).
- fal.ai — branding asset generation only; never customer dossier data.
Incident response
We follow a documented IR playbook. Customers are notified within 72 hours of any incident affecting their data, with a written postmortem within 30 days.