Privacy
At DocSend we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. If you have a privacy question, please contact [email protected]. Additionally, you can obtain a copy of our information security white paper here.
Here are a few ways we protect your data:
Data Deletion/Destruction
If you wish to delete your account or request that we no longer use your information to provide you the service, you may ask that we delete your account by emailing [email protected].
Your Rights
Upon request, DocSend will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. Please see our Privacy Policy for more information about the rights you have in relation to your Personal Data and how to exercise them.
Payment Info
We process all payments through our payment provider, Stripe, and do NOT store credit card information on our servers.
Our subservice providers
At least annually, DocSend performs a review of our subservice providers. In the event these reviews have material findings which we determine present risks to DocSend or our customers, we will work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.
Security Incidents & Reporting
If you see something, say something. If you need to submit a potential security incident to DocSend please provide a summary report to the DocSend Security Team as an attachment to [email protected]. The Information Security team will evaluate the report and may arrange to discuss specifics.
Encryption
DocSend protects data in transit between our apps and our servers, and at rest. Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform,Transport Layer Security (TLS), and data is stored in SOC 1 Type II, SOC 2 Type II, and ISO 27001 certified data centers. Your documents are stored and encrypted at rest using AES 256-bit encryption.
Automatic Audit Trails
The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time-stamped, to provide defensible proof of access, modification, and, where applicable, signature. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with.
Application Security and Testing
DocSend has a formal application security program in place with application security staff.
We regularly test our infrastructure and apps to identify and patch vulnerabilities. We also work with third-party specialists, industry security teams, and the security research community to keep our users and their files safe. WeTo further enhance our application security, we run a bug bounty program and engage multiple times a year with third-party penetration testing teams to ensure our products are secure. Potential security bugs and vulnerabilities can be reported to our Bug Bounty program. Please contact our security team at at [email protected] for more information.
Permissions
It’s imperative that you can control who can do what within the system. Different roles carry different access rights. Learn more about role-based security permissions.
Infrastructure
DocSend uses Heroku as its Platform as a Service (PaaS) provider and Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centers hosting our data within the U.S. We utilize AWS features like Security Groups, key management, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.
Experienced Security and Privacy Teams
We have a Security Team with a Head of Security who is directly responsible for the security of DocSend products and services. Additionally, we have a formal risk management program in place. Security risks are reviewed periodically, resulting in security-related initiatives at the product, infrastructure, and company level.
The Privacy Team is responsible for operating the Privacy Program. It implements our key privacy initiatives and champions privacy by design in our data lifecycle.
To ensure all employees are able to champion customer data protection, we work to ensure security and privacy are embedded in our company culture from day one. Employees undergo comprehensive background checks, sign and follow a code of conduct and acceptable use policies, as well as undergo annual security awareness and privacy training.
We also have a copyright and IP policy and Terms of Service for our end users to ensure our customers completely understand how we intend our products to be used and under what terms.