DoqSeal was designed after the DPDP Act passed. Encryption is client-side. Processing happens in enclaves. Keys live for milliseconds. We can't read your documents — and we built it that way on purpose.
Audited annually by Deloitte
Information security mgmt
Consent receipts built-in
Auditor: ITAS Solutions
AES-256-GCM at rest. TLS 1.3 in transit. Per-tenant data encryption keys derived via HKDF and rotated quarterly.
Extraction runs inside AWS Nitro enclaves and Intel SGX TEEs. The hypervisor cannot inspect memory. Keys exist for the duration of a single request, then evaporate.
Primary in ap-south-1 (Mumbai). Disaster recovery in ap-south-2 (Hyderabad). Backups encrypted with customer-managed keys. Data never leaves Indian sovereign territory.
SSO via SAML 2.0 / OIDC. SCIM 2.0 for user provisioning. Per-document RBAC with attribute-based extensions. MFA enforced on all admin actions.
Every action — upload, view, extract, export, delete — written to an append-only log signed with our HSM. Stream to your SIEM via Splunk HEC, Datadog, or syslog.
SLA: critical incident notification within 4 hours. Public hello@doqseal.com PGP key. Bug bounty up to ₹5L per critical CVE. Quarterly pen-tests by Bugcrowd.
A short list, kept short on purpose. Every sub-processor signed a DPA with India-only data residency. List updated within 30 days of any change.
Compute, storage, KMS. Sub-processor agreement: BAA-equivalent + DPDP addendum.
HSM operator for our root signing keys. CCA-licensed.
Error monitoring runs inside our infrastructure — never sends data outside India.
Detailed architecture, threat model, and audit reports are available under MNDA. Email hello@doqseal.com.