Security & Trust
Droqify is built for organisations handling sensitive and regulated documents. Every security control described here corresponds to an implemented, verifiable feature of the platform.
Data Isolation
Every customer's data resides exclusively in their own Azure subscription.
Droqify is not a multi-tenant SaaS with a shared database. At provisioning, a dedicated Azure resource group (rg-docai-{client}) is created in the customer's Azure subscription. All data stores — Cosmos DB, Azure Blob Storage, Azure Service Bus, OpenSearch, and Key Vault — are provisioned within that resource group, in the customer's subscription, under the customer's billing account.
There is no shared storage tier, no pooled database, and no mechanism by which one customer's data can be accessed in the context of another customer's environment. The vendor cannot access customer data in the ordinary course of operations.
Encryption
At rest
All data is encrypted using Customer-Managed Keys (CMK) stored in Azure Key Vault. The key algorithm is RSA-2048. CMK encryption is applied to:
- Azure Cosmos DB (all containers)
- Azure Blob Storage (raw document files and audit log archives)
- Azure Service Bus (message queue payloads)
Keys are rotated automatically every 90 days. Revoking the CMK immediately renders all data inaccessible, including to the vendor.
In transit
All communications use TLS 1.2 or higher: browser to API, API to Cosmos DB, API to Blob Storage, API to Service Bus, API to Azure OpenAI, and agent worker to Azure AI Foundry.
Access Controls
Droqify implements role-based access control (RBAC) with principle of least privilege at both the application layer and Azure infrastructure layer.
- Application RBAC: every API endpoint enforces a specific permission. Permissions are validated on every request via JWT claims.
- Authentication: bcrypt-hashed passwords; JWT access tokens with 15-minute expiry; HttpOnly refresh-token cookies.
- Vendor access (Enterprise tier only): implemented via Azure Lighthouse delegation, scoped to the customer's resource group. The vendor cannot access other resource groups in the customer's Azure subscription. All vendor actions generate audit events in the customer's Azure Activity Log.
Audit Logging
Every data access, modification, creation, and deletion event is written to a tamper-proof audit log.
Audit records include: authenticated user ID, action, resource ID, source IP, timestamp, and correlation ID. Audit records do not contain document content, extracted text, or PHI — a PHI-masking filter strips sensitive fields before any log forwarding.
Audit logs are stored on Azure Blob Storage with WORM (Write Once Read Many) immutability. Retention: 7 years, meeting the HIPAA audit control minimum under 45 CFR §164.312(b). Logs are replicated via Azure Geo-Redundant Storage (GRS).
AI Data Handling
Droqify uses two external AI services. Both are governed by enterprise agreements with explicit data retention prohibitions.
- Azure OpenAI (GPT-4.1): zero data retention; no use of customer data for model training.
- Mistral AI (OCR): EU-incorporated entity; EU-based processing; no training on customer data per Mistral enterprise DPA.
Compliance
| Framework | Status |
|---|---|
| HIPAA | Business Associate Agreement (BAA) available and executed for healthcare customers. Technical, administrative, and physical safeguards implemented per the HIPAA Security Rule. Contingency plan (RPO ≤1h, RTO ≤4h) tested quarterly. |
| GDPR | Data subject rights (access, erasure, portability, rectification) implemented. Subprocessor list maintained. GDPR Art. 30 Records of Processing Activities (RoPA) maintained. DPA available. |
| SOC 2 Type II | Audit window open post-commercial launch. Trust service criteria addressed in system design. |
| ISO 27001 | Certification in roadmap. Information security management controls implemented per ISO 27001 Annex A. |
Penetration Testing
Droqify undergoes third-party penetration testing on an annual basis. Scope covers: the API surface, authentication mechanisms, container infrastructure, Azure RBAC configuration, and network segmentation.
Enterprise customers may request a copy of the most recent penetration test executive summary and attestation letter under NDA. Critical vulnerabilities are addressed within 72 hours of confirmed identification.
Vulnerability Management
- Container image scanning: every image push to Azure Container Registry is scanned by Microsoft Defender for Containers. Critical CVEs reviewed within 48 hours.
- Dependency monitoring: Python and Node.js dependencies are monitored for known vulnerabilities. Out-of-band patching for critical issues.
- Secret management: all credentials and API keys are stored in Azure Key Vault. No secrets in environment variables in production containers or version-controlled files.
Data Deletion
Customers retain full control over their data at all times.
- User-level deletion: administrators can permanently delete all data associated with any user. This cascades across all Cosmos DB containers and associated Blob Storage objects. Irreversible.
- Full environment deletion (Private tier): because all infrastructure is deployed into the customer's own Azure subscription, the customer can tear down the entire environment by deleting their resource group. No customer data persists outside the customer's own Azure subscription.
Incident Response
| Severity | Initial Response | RCA Publication |
|---|---|---|
| P1 — Service unavailable | 30 min (Enterprise) | Within 5 business days |
| P2 — Core feature degraded | 1 hour | On request |
| P3/P4 — Non-critical | 4 hours / 1 business day | On request (recurring) |
Security incidents involving potential data exposure are reported to affected Enterprise customers within 60 days of discovery per HIPAA §164.410.
Subprocessors
| Subprocessor | Role | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure | Infrastructure (compute, storage, networking) | All customer data at rest and in transit | Customer-selected Azure region |
| Microsoft Azure OpenAI | GPT-4.1 inference | Document text content | US East (configurable) |
| Mistral AI | OCR (image/PDF processing) | Document images | EU |
| Microsoft Azure AI Foundry | AI agent orchestration | Document text, schema data, agent I/O | Vendor Azure subscription |
Customers will be notified at least 30 days in advance of any changes to the subprocessor list.
Contact
For security questions, vulnerability disclosures, BAA requests, or compliance enquiries:
- Email: contact@skifin.com
- Subject: "Security / Compliance"
For Enterprise customers: use your dedicated Customer Success Manager or the support channel in your MSA.