DocChase← Back to home

Security & Data Protection

Last updated: 11 May 2026

Security is core to DocChase. This page summarises the controls we use to protect your data and your clients' documents.

1. Hosting

  • Primary database and document storage hosted in Australia (Sydney region) on enterprise cloud infrastructure (ISO 27001, SOC 2 Type II certified).
  • Workloads run in isolated, hardened containers behind a global edge network with DDoS protection.

2. Encryption

  • In transit: TLS 1.2+ on all connections; HSTS enforced.
  • At rest: AES-256 encryption for database and document storage.
  • Upload tokens are single-purpose, time-bound, and revocable.

3. Access control

  • Row-level security ensures one practitioner cannot read another's data.
  • Multi-factor authentication available on all practitioner accounts; mandatory for DocChase staff.
  • Least-privilege access for staff; production access logged and audited.

4. Application security

  • Input validation and output encoding on every endpoint.
  • Automated dependency scanning and secret scanning on every commit.
  • Quarterly third-party penetration testing.
  • Public security disclosure: security@docchase.com.au.

5. Backups & disaster recovery

  • Continuous database replication and point-in-time recovery for 30 days.
  • Document storage replicated across availability zones.
  • Recovery Time Objective: 4 hours. Recovery Point Objective: 15 minutes.

6. Subprocessors

We engage a limited set of subprocessors to run the service: hosting, email delivery, SMS delivery, error monitoring, and payments. All are bound by written agreements and notified in our Data Processing Addendum.

7. Incident response

We maintain a documented incident-response plan. In the event of a notifiable data breach, we notify affected customers and the Office of the Australian Information Commissioner consistent with the Notifiable Data Breaches scheme.

8. Compliance posture

  • Built to align with the Australian Privacy Principles (APPs).
  • Designed against the OWASP Top 10 and the Australian Cyber Security Centre's Essential Eight.
  • SOC 2 Type II roadmap — current status: in progress.

9. Contact

Report a vulnerability or ask a security question: security@docchase.com.au.

Questions about this policy?

Email legal@docchase.com.au or write to DocChase Pty Ltd, Level 1, 121 King Street, Melbourne VIC 3000, Australia.