Security & privacy

The safest place for a borrower's document is the one it never leaves.

Lending files carry non-public personal information. Docutise is designed around that from the first line: local-first processing, no cloud path to leak to, and an audit trail behind every action.

Nothing to leak to the cloud

There are no cloud model calls and no alternate cloud inference path. Analysis runs on your hardware — egress isn't disabled, it's absent by design.

Your documents can't phone home

GPU and model workers are intended to run without normal internet egress while a document is being processed.

NPI never lands in a log

Raw document content should not appear in application logs by default. Access logs carry metadata, not the document.

Controls

Only the right people ever see a file.

The security goal is practical and strict: prevent cross-tenant access, keep borrower content out of logs, avoid document egress, preserve an audit trail, and make every final decision explainable after the fact.

Tenant, object & role scoping

Reads and writes are tenant-scoped and object-scoped, with object-level authorization tests. Roles gate what a user can even see — a reviewer literally cannot reach a finalize or admin-confirm action.

Scope-driven redaction

OCR text, barcode values, finding-evidence text and export payloads are redacted by scope, with separate scopes for raw document and artifact bytes. Sensitive fields aren't handed out casually.

Signed, short-lived links

Document originals, page artifacts and export artifacts are reached through HMAC-signed links with expiry enforcement — and every resolution is audit-logged.

Admin-only final decisions

Final document acceptance, rejection, override and profile publishing require an admin — and each is recorded as an immutable, metadata-only audit event.

Full audit trail

Raw downloads, page views, artifact downloads, signed-link resolutions and export reads are captured as metadata-only events — the record you need when someone asks "who saw this, and when?"

Request tracing & rate limits

Request IDs propagate through X-Request-ID; API rate limits return 429 with Retry-After and X-RateLimit-* headers, with distributed enforcement for multi-process deployments.

Intake defense

Nothing untrusted gets deep into the system.

Uploads are validated before they're stored — the first line against malformed, oversized or hostile files.

  • MIME & magic-byte checksThe declared type has to match the actual bytes.
  • Size, page-count & decompression limitsPDF page counts, image pixel bounds and decompression ratios are bounded to prevent resource-exhaustion.
  • Encrypted / corrupt detectionEncrypted or corrupt PDFs are caught at the door, not mid-pipeline.
  • Local malware-scan hookA local scan policy handles detection and the scanner-unavailable case explicitly.
MIME / magic bytes
Match
Upload size
Within limit
PDF page count
Within limit
Encryption / corruption
Clean
Local malware scan
Passed
Model governance

A model doesn't get to vote until it's earned it.

Local detector and semantic lanes are intentionally gated. Their evidence does not support a pass decision until the required local runtime, labeled fixtures, threshold certification, no-egress checks and evaluation gates are complete.

Conservative by default. Until those gates are met, the correct behavior is strict: findings stay visible, unresolved blockers prevent an automatic pass, and an admin makes the final call. Model and runtime records carry version, source, license metadata, checksum or digest, and evaluation status.

Put the audit trail on your side.

Talk to us about a local pilot and a security review with your team.