Security isn't a feature. It's the foundation.
Docubark is built to handle your most sensitive vendor data. Here's exactly how we protect it — no vague claims, no marketing language.
Independently verified.
SOC 2 Type 1 — Certified
Docubark has completed SOC 2 Type 1 certification, independently verifying our security controls across availability, confidentiality, and processing integrity.
SOC 2 Type 2 — In Progress
Type 2 certification is currently underway. This audit covers the same controls over an extended operating period, providing ongoing evidence that our security posture is consistent — not just point-in-time.
FAIR Framework
Docubark's risk quantification engine is built on the FAIR (Factor Analysis of Information Risk) framework — the industry standard for quantitative cyber risk.
CISO Advisory Board
Our security practices are reviewed by an advisory board of enterprise CISOs — practitioners who've run security programs at scale and know what real security controls look like in production environments.
Your data is encrypted, isolated, and deleted on your schedule.
Encryption in Transit
All data transferred to and from Docubark is protected using TLS 1.2 or higher. No data travels in plaintext.
Encryption at Rest
All data stored on Docubark servers, workstations, and infrastructure uses AES-256 disk encryption — the same standard used by financial institutions and government systems.
Data Isolation
Customer data is stored in dedicated, segmented cloud environments behind a firewall. Production data is never used in development or testing environments.
Data Retention
Docubark retains your data for as long as your account is active. Upon offboarding, customer data is retained in secure backups for 7 days and then permanently deleted.
Secure Disposal
When data reaches the end of its retention period, it is disposed of using industry-standard secure deletion methods. All disposal instances are logged.
Hosted on AWS. Architected to minimize exposure.
Cloud Infrastructure
Docubark runs entirely on Amazon Web Services (AWS). We use AWS's automated backup tools to perform full daily backups of all production data, stored in a secure remote location.
Network Segmentation
Our network architecture uses demilitarized zones (DMZ) and security group isolation to prevent any direct connection between external networks and customer data. Subnetworks are configured to prevent unauthorized lateral movement.
Business Continuity
We test our business continuity and disaster recovery plan annually via tabletop exercises. Backups are tested independently by our engineering team to confirm they can be restored under real conditions.
Only the people who need access have it.
Least Privilege
Every Docubark employee is granted the minimum level of access required to perform their role. Access rights are reviewed at least annually and adjusted when roles change.
Multi-Factor Authentication
MFA is required for all access to Docubark systems — no exceptions. Remote access to production systems requires a valid MFA token alongside VPN.
SAML / SSO Support
Docubark supports SAML-based Single Sign-On, allowing enterprise customers to manage authentication through their own identity provider.
Access Provisioning & Deprovisioning
New user access requires formal approval before being granted. Terminated employees have access revoked within 24 hours. All access changes are documented.
No Shared Credentials
Shared or group user IDs are prohibited. Every user is assigned a unique ID. Passwords must meet complexity requirements and are never shared.
We find problems before attackers do.
Quarterly Vulnerability Scans
Internal and external vulnerability scans are performed at least quarterly across all in-scope systems. Results are reviewed by engineering leadership and remediated based on severity.
Annual Penetration Testing
Docubark engages independent third-party security firms to conduct penetration tests at least annually. Critical vulnerabilities are addressed within 15 days.
Patch Management
Security patches are deployed on a defined schedule: Critical within 15 days, High within 30 days, Medium/Low best efforts and continuously monitored.
Antivirus & Endpoint Protection
AV solutions are deployed on all endpoints — laptops, desktops, and servers — with automatic updates enabled and monthly scans configured as a minimum.
A documented process, not a fire drill.
Docubark maintains a formal Incident Response Team (IRT) with defined roles and responsibilities for detecting, containing, and recovering from security incidents. Our program includes:
- •Defined severity classifications (Low, Medium, High) with corresponding response procedures
- •Annual tabletop exercises to test our incident response capabilities
- •Customer notification procedures for high-severity incidents, including determination of regulatory and contractual notification requirements
- •Post-incident documentation and continuous improvement
Security starts before day one.
Background Checks
All Docubark employees undergo background checks prior to their start date.
Security Awareness Training
Every employee completes security awareness training within 30 days of hire and at least annually thereafter. Training covers current threats, incident reporting, and role-specific responsibilities.
Confidentiality Agreements
All employees and contractors sign confidentiality agreements upon hire, with no access granted to any Docubark systems until the agreement is acknowledged.
Annual Risk Assessment
Docubark conducts a formal enterprise risk assessment at least annually, reviewed by our Risk Committee, which includes internal leadership and at least one independent member.
We'll answer your security questionnaire. With our own product.
Most security review processes involve sending a questionnaire. We're happy to complete one — and yes, we use Docubark to do it.
If your security or procurement team needs additional documentation, a custom review, or a direct conversation with our CTO, reach out.