Privacy Policy
Data Security & Protection
Executive Summary
The rise of AI-driven automation is transforming the business landscape, demanding organizations to adopt secure, efficient, and agile environments. Docana redefines business process management by integrating AI into workflows, automating tasks, and enhancing productivity through knowledge-driven solutions. As companies increasingly depend on their data and AI-powered insights, Docana is committed to providing a secure and compliant platform that aligns with evolving regulatory standards and business needs.
Our approach combines cutting-edge security practices with a future-proof strategy. While Docana is preparing for certifications such as SOC 2 and ISO 27001, our commitment to security and compliance forms the foundation of ever y operation and feature.
Docana: Product Briefing
Docana offers an AI-powered platform that connects your organization's knowledge with generative applications, enabling you to streamline operations and automate tasks securely and efficiently. From document ingestion to actionable insights and custom application generation, Docana transforms workflows without requiring coding expertise.
Docana's security framework ensures that your data and operations remain protected at every step, helping your organization deliver value with confidence.
Security is the Foundation of Our Operations
Although Docana is in the process of achieving SOC 2 and ISO/IEC 27001 certifications, our platform has been designed with security and compliance in mind from the ground up. Docana employs a “Secure by Design” philosophy, embedding security measures into ever y layer of our architecture.
Secure Development Practices
Regular Audits: Frequent security audits, including automated vulnerability scans and third-party penetration tests, help identify and mitigate risks. Compliance reviews ensure alignment with industry standards and regulatory requirements.
Training and Standards: Docana ensures all developers are trained in secure coding practices following OWASP standards, equipping them to prevent common vulnerabilities like XSS and injection attacks. Ongoing training keeps the team up-to-date on emerging threats and best practices.
Software Development Life Cycle (SDLC): Security is embedded in ever y phase of development, from rigorous code reviews and comprehensive testing to QA compliance and secure deployment strategies. These practices ensure a reliable and secure platform.
System and Data Security Standards
Encryption
Data in Transit: To protect data integrity and confidentiality during transmission, all data is encrypted using industry-standard Secure Socket Layer (SSL) connections, with an encryption level of AES-256. This ensures that sensitive information remains secure from interception or tampering during communication between systems.
Data at Rest: All stored data is safeguarded with advanced encryption techniques, employing 128-bit Galois/Counter Mode (GCM) block ciphers. This provides robust protection for stored data, ensuring that even in the unlikely event of unauthorizedaccess, the data remains unreadable and secure.
System Access Control
Multi-Factor Authentication (MFA): To strengthen access security, MFA is mandatory for all team members accessing critical systems. By requiring an additional layer of verification, such as a code from a trusted device or biometric authentication, MFA mitigates the risks of compromised credentials.
Password Policies: Strong password requirements are enforced to ensure account security, with a minimum of 12 characters incorporating a mix of uppercase, lowercase, numbers, and special characters. These policies are periodically reviewed and updated to align with evolving security standards.
Access Privileges: Docana implements a robust role-based access control (RBAC) framework, assigning permissions based on job functions. Access privileges are restricted to a need-to-know basis, and regular reviews by the security team ensure that permissions remain appropriate and secure as roles change.
Data Access and Isolation
Role-Based Access: Access to sensitive data and system components is governed by a comprehensive RBAC model. Permissions are carefully assigned based on individual job responsibilities and are regularly reviewed by Docana's Security Committee to ensure compliance and appropriateness. This minimizes the risk of unauthorized access and data exposure.
Data Segregation: To provide maximum security and privacy for customer data, Docana employs a multi-tenant database architecture with Row-Level Security (RLS) to isolate data for each company. This ensures that each customer's data resides in a secure and segregated environment, preventing unauthorized access and ensuring that breaches or unauthorized activities in one tenant do not affect others.
Logging and Monitoring: Logging and monitoring systems are in place to capture all access events, including login attempts, data queries, and configuration changes. These logs are continuously analyzed for anomalies or suspicious activity, enabling proactive responses to potential security threats. In addition, regular audits of these logs enhance transparency and reinforce security practices.
Backups and Recovery Strategies
Reliability and data protection are central to Docana's commitment to delivering uninterrupted services. Our backup and disaster recovery mechanisms are designed to safeguard data integrity and ensure quick restoration in the event of unexpected incidents. These strategies provide peace of mind by minimizing downtime and protecting critical information.
Incremental Backups: To ensure data is consistently protected, system backups are performed incrementally every 1 hour. These backups are encrypted to maintain confidentiality and are replicated across multiple geographic regions. This redundancy ensures that data remains secure and recoverable even in the event of localized disruptions or outages.
Recovery Protocols: Docana employs comprehensive recovery strategies to handle major incidents swiftly and effectively. These protocols are designed to restore the platform's infrastructure within two hours, minimizing operational downtime and ensuring business continuity. Each recovery plan is tailored to address a wide range of scenarios, from system failures to data corruption.
Testing: To validate the reliability of our backup and recovery processes, Docana conducts regular disaster recovery testing. These tests simulate real-world incidents to assess the effectiveness of backup systems and recovery protocols. Insights from these tests are used to continuously refine and enhance our disaster recovery capabilities, ensuring that Docana can deliver a secure and resilient platform at all times.
Availability Commitment
Docana provides a 99.95% monthly infrastructure availability guarantee, ensuring minimal downtime and reliable ser vice for our customers. Planned maintenance schedules and feature releases are communicated well in advance, and all releases follow a consistent schedule of Tuesdays and Thursdays at 6:00 AM PT. This early timing minimizes disruptions to daily operations for customers in all time zones.
Security updates, however, may be deployed at any time outside of the regular schedule to address critical vulnerabilities or compliance requirements promptly.
Release Schedule
| Release Type | Planned Day | Time (PT) | Customer Notification |
|---|---|---|---|
| Feature/Platform Update | Tuesday | 6:00 PM | Minimum 2 weeks in advance |
| Feature/Platform Update | Thursday | 6:00 PM | Minimum 2 weeks in advance |
| Security Update | As needed | Anytime | As soon as possible |
This schedule ensures reliability and transparency for planned updates while maintaining flexibility to prioritize critical security needs.
Data Retention and Deletion
Customer data is retained for 14 days post-subscription expiry, with an additional 16-day grace period for complete data removal from the platform.
Supplier Management and Hosting
Docana's services are hosted on Google Cloud Platform, ensuring high availability, scalability, and security. Hosting is available in multiple regions worldwide, allowing customers to select their preferred data residency location.
Security Audits
Docana conducts regular security audits to identify and mitigate vulnerabilities. These audits include penetration tests and compliance reviews conducted before major releases and annually thereafter.
Compliance with Data Protection Laws
Docana complies with GDPR and other applicable data protection laws, ensuring secure data processing through contractual agreements and our Data Processing Agreement.
Customers can rely on Docana's flexible architecture to meet their compliance requirements.
Privacy Policy Addendum for Google Drive API Usage
Data Access
If you enable our Google Drive Connector, our software will access your files stored in Google Drive. This access is limited to the files necessary for the functionality of the connector and is performed only when you explicitly enable the feature.
Data Use
Data retrieved from your Google Drive is used exclusively to train our AI assistants. This training process includes extracting contextual information and generating vectors from the content of your files, which helps improve the relevance and quality of the assistance provided by our AI.
Data Sharing and Transfers
We do not share, transfer, or disclose your Google Drive data with any third parties. The only exception is that data may be transmitted to Google as part of our use of the Google Storage service, which supports our application's functionality. Your data is otherwise kept confidential and used solely for the purposes described.
Data Retention for AI and Machine Learning
Our application does not use Google Workspace APIs to develop, improve, or train generalized or non-personalized AI/ML models. Any Google user data accessed via our app is solely used for providing user-specific features and services. Furthermore, we do not transfer Google user data to third-party AI tools for the purpose of developing generalized or non-personalized AI/ML models. We retain the extracted contextual data and vectors from Google Drive files solely for using third-party personalized AI tools. Any data sharing with third-party tools is strictly limited to the purposes outlined in this policy and complies with all applicable privacy and security standards.
By using our application and enabling the Google Drive Connector, you consent to the access, use, sharing, and retention practices described above.
Moving Forward
Docana is committed to helping organizations transform their workflows with secure, AI-powered solutions. As we prepare for industry certifications, our platform is built to ensure data security, compliance, and operational efficiency.
Request a live demo to see how Docana can revolutionize your business processes while keeping your data safe and compliant.
Request a Demo
© 2024, Docana, Inc. or its affiliates. All rights reserved.