Trust center

Security, privacy, and compliance — the receipts.

Welcome to DocuChat's Trust Center. Here we share our compliance documentation, security measures, and privacy practices. We believe in transparency and want to give you full confidence in how we protect your data.

Privacy NoticeTerms of Service
Need our full security pack?
ISO 27001 certificate, DPA, subprocessor list, and the latest pen-test summary — available on request.
In effect

Controls

A range of controls protect your data and uphold the highest level of security. The categories below summarise what's in place.

Security Policies and Organization

  • Implemented comprehensive information security policies and procedures
  • Established clear security roles and responsibilities across organization
  • Enforced segregation of duties for critical systems
  • Maintained active contact with security authorities and groups
  • Integrated security requirements into all project management

Asset and Access Management

  • Maintained up-to-date inventory of all information assets
  • Enforced role-based access control across all systems
  • Implemented secure password policies and password manager
  • Conducted quarterly access rights reviews
  • Enforced multi-factor authentication across all services
  • Protected source code access with additional security controls
  • Applied data classification and handling procedures
  • Implemented secure media disposal processes

Technical Security

  • Enforced encryption for data at rest and in transit
  • Implemented centralized key management system
  • Established automated backup procedures with encryption
  • Implemented comprehensive logging and monitoring
  • Conducted regular vulnerability assessments
  • Enforced network segmentation and security controls
  • Maintained secure communication protocols

Systems Development and Operations

  • Implemented secure development lifecycle process
  • Enforced change management procedures for all systems
  • Maintained separate development and production environments
  • Implemented automated CI/CD security checks
  • Monitored system capacity and performance

Vendor Management and Business Continuity

  • Implemented supplier security requirements in contracts
  • Monitored supplier service levels and security compliance
  • Maintained business continuity and disaster recovery plans
  • Conducted regular disaster recovery testing
  • Established incident response procedures

Compliance and Risk Management

  • Conducted regular risk assessments and treatment
  • Maintained compliance with applicable regulations
  • Implemented privacy and data protection controls
  • Maintained security metrics and reporting
  • Documented all security exceptions and risks
  • Implemented physical security controls
Vendors

Subprocessors

For US-based providers we ensure GDPR compliance for all data transfers via EU-based regions or Standard Contractual Clauses.

  • AWS EuropeLuxembourg (Data Hosted in Frankfurt)
    Infrastructure & AI Provider
  • BrevoFrance
    Email Service Provider
  • CohereUnited States (SCCs in Place)
    AI Model Provider
  • CrispFrance
    Customer Support Services
  • Lemon SqueezyUnited States (SCCs in Place)
    Payment Processor
  • MistralFrance
    AI Model Provider
  • OpenAIUnited States (SCCs in Place)
    AI Model Provider
  • PostHogUnited States (Data Hosted in EU)
    Product Analytics
  • SentryUnited States (Data Hosted in EU)
    Observability Services