doclish is built security-first. Every architectural decision — from authentication to storage to audit logging — is designed to protect the privacy, security, and integrity of Protected Information in our custody. This page describes how that protection works technically.
doclish does not read your documents. Document content is encrypted before it reaches our storage layer. Our infrastructure stores encrypted bytes. Only authenticated users with the correct credentials can decrypt and access document content. We cannot access the plaintext of your documents, and neither can anyone else without your credentials.
doclish uses Passkeys (WebAuthn) as the primary authentication method. There are no passwords stored on our servers — not hashed, not salted, not in any form. Authentication is handled via public-key cryptography on the user's device.
Every document uploaded to doclish is immediately registered with a SHA-256 cryptographic fingerprint. This hash is computed at upload time and stored immutably. Any subsequent byte-level modification to the document — including metadata changes, compression artifacts, or deliberate tampering — produces a different hash and is detected immediately upon verification.
Every action taken on a document — upload, view, download, verification, delivery, deletion request — is recorded in an append-only audit log. Audit records cannot be modified or deleted after creation. Logs include the actor, timestamp, IP address, action type, and document fingerprint at time of action. These logs are court-admissible records of chain of custody.
Every record in doclish is scoped to a userId at the database level. This is enforced at the query layer — not just at the application layer. Cross-tenant queries are structurally impossible: a user's session token cannot be used to access records owned by another user, regardless of how the request is constructed. There are no shared tables without user-scoped indexes.
doclish runs on Cloudflare's global infrastructure. Cloudflare holds SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. Physical security, hardware lifecycle management, and datacenter access controls are managed by Cloudflare. Document files are stored in Cloudflare R2 — a private, zero-egress-fee object store with no public access by default.
doclish's application backend runs on Convex, a serverless database and compute platform. All Convex function calls are authenticated and operate within the security boundaries of the doclish schema. Database access is not exposed directly to the client — all reads and writes go through typed, authenticated server functions. The Convex platform enforces end-to-end encryption for data in transit between its compute and storage layers.
Sessions are token-based with a 60-day expiry. Session tokens are generated with cryptographically secure random functions, are a minimum of 20 characters, and are stored in localStorage on the client. Tokens are never transmitted in URL parameters. Sessions can be revoked remotely. All session events are recorded in the audit log.
doclish does not load third-party analytics scripts, ad networks, or tracking pixels. We do not send your usage behavior to Google Analytics, Mixpanel, Segment, or any similar service. The only external network calls made by the doclish client are to our own backend infrastructure and to Convex for real-time data synchronization.
To report a security vulnerability, request a security review, or ask questions about our security architecture, contact security@doclish.com. We take all security reports seriously and respond within one business day.