Global pilot draft - 2026.06.03
Security Policy
Security posture for the Documents Dock global pilot.
Effective date: 2026-06-03
01
Workspace isolation
- Shipment data is scoped by organization and protected through application authorization and Supabase row-level security policies.
- Workspace members should be assigned only the roles they need for their shipment document work.
- Public support and pilot forms are rate-limited and validated before persistence.
02
Document protection
- Originals, generated documents, and bundles are stored in private object storage rather than public buckets.
- Operators do not view customer originals, OCR text, extracted values, signatures, stamps, or object storage keys by default.
- OCR quality monitoring should use value-free quality events instead of customer document text.
03
Application controls
- The web app uses security headers, CSP, upload validation, rate limiting, and server-side organization checks on sensitive routes.
- Billing provider webhooks must be verified before they can unlock paid workspace access.
- Production secrets must be stored only in deployment provider secrets or environment variables.
04
Reporting
- Security issues should be reported through the published security contact or support channel.
- Do not include full customer documents, passwords, private keys, or regulated data in a vulnerability report unless the team explicitly requests a secure transfer path.
Launch note: this page is an implementation draft for product validation and must be reviewed before public paid launch.