EN 
PT-BR
Document360
Trust Center 
Document360 is built with security, privacy, and compliance at its core so teams can confidently create, manage, and scale knowledge without compromising trust.
Reviewed & Trusted by Teams Worldwide
Attestation & Certifications
-
SOC2 Type II - Executive Summary
-
SOC2 Type II - Bridge Letter
-
SOC2 Type II - Full Report
-
ISO 27001:2022
Security
This section outlines the security controls implemented for Document360 to protect customer data and support the secure design, deployment, and operation of the product. These controls span cloud infrastructure, product security, organizational safeguards, and operational processes, and are implemented as part of our organization-wide security program.
| Backups and Recovery | System and customer data backups are performed regularly and stored securely to support data restoration in the event of data loss or system failure. |
| Disaster Recovery & Business Continuity | Our disaster recovery plan ensures minimal downtime and data loss during unexpected events. We define clear RTO (Recovery Time Objective) and RPO (Recovery Point Objective) to ensure rapid recovery. |
| Denial of Service (DoS) Protection | Network-level protections are implemented to detect and mitigate denial-of-service attacks and maintain service availability. |
| Network Segmentation | Network environments are segmented by strictly segregating development, staging, and production environments to limit lateral movement and reduce the impact of potential security incidents. |
| Private Hosting | The product is hosted in a controlled cloud environment with restricted administrative access and hardened configurations. |
| Real-Time Monitoring & Detection | Infrastructure and systems are continuously monitored for security events and operational anomalies. |
| Service Availability & Status Monitoring | Service health and availability are actively monitored to identify and respond to disruptions in a timely manner. |
| Encryption | Customer data is encrypted at rest using strong encryption standards (AES-256) and in transit using TLS to protect confidentiality and integrity. |
| Multi-Tenancy & Data Isolation | Logical controls are implemented to ensure customer data is securely isolated within a multi-tenant environment. |
| Authentication Security | Authentication mechanisms include support for Single Sign-On (SSO) to streamline and strengthen access security. |
| Password Complexity | Password policies enforce complexity and security requirements to reduce the risk of unauthorized access. |
| Role-Based Permissions | Access to product features and data is governed through role-based access control aligned to the principle of least privilege. |
| Activity & Audit Logging | User and system activities are logged to support monitoring, investigations, and audit requirements. |
| Penetration Testing | Periodic penetration testing is conducted to identify and remediate security weaknesses in the product. |
For additional technical details on our product architecture and security design, visit our Product Security Overview.
| Employee Background Checks | Background verification is conducted for employees in sensitive or privileged roles. |
| Employee Confidentiality | Employees are subject to confidentiality obligations to protect customer and company information. |
| Endpoint Encryption | Company-managed devices use encryption to protect data stored on endpoints. |
| Endpoint Management | Endpoints are centrally managed to enforce security configurations and maintain compliance. |
| Endpoint Protection | Endpoint protection technologies are used to detect and respond to malware and malicious activity. |
| Zero Trust Architecture | Access to systems and resources is governed using Zero Trust principles, requiring verification before access is granted. |
| Least-Privilege Access | Access rights are limited to what is necessary for job functions and reviewed periodically. |
| Secure Code Review | Code changes are subject to review processes designed to identify security and quality issues before deployment. |
| Vulnerability Management | Security vulnerabilities are identified, prioritized based on risk, and remediated in a timely manner. |
| Incident Response Process | A documented incident response process defines severity levels, roles, escalation paths, and remediation actions. |
| Incident Response Coverage | Security incidents are handled by designated personnel with defined responsibilities and response procedures. |
| Security Policies | Documented security policies define requirements for access control, data protection, acceptable use, and risk management. |
| Zero Trust Architecture | Access to systems and resources is governed using Zero Trust principles, requiring verification before access is granted. |
| Vendor Risk Assessments | Third-party vendors are assessed for security risks prior to engagement and periodically thereafter. |
| Security Support Coverage | Security incidents and inquiries are supported through defined internal support and escalation mechanisms. |
| Customer Data Encryption | Customer data is protected through encryption and access controls to prevent unauthorized access. |
| Data Access Controls | Access to customer data is restricted to authorized personnel and systems based on role and business need. |
| Regional Data Hosting | Where applicable, data hosting locations align with contractual and regulatory requirements. |
| Data Retention & Secure Disposal | Data retention periods are defined, and secure disposal processes are followed when data is no longer required. |
The security controls supporting Document360 are independently validated through recognized assurance frameworks, including:
- ISO 27001: Information Security Management System (ISMS) certification covering organizational security controls.
- SOC 2 Type II: Service Organization Control report focusing on security, availability, processing integrity, confidentiality, and privacy.
Privacy
Document360 operates a comprehensive global privacy and data protection programme that is embedded across our Legal, Security, Engineering, Product, and Executive teams. Privacy is treated as a foundational requirement, not an afterthought. Our programme is designed to ensure transparency, accountability, and compliance with applicable data protection laws across regions where our customers operate.
We follow privacybydesign and privacybydefault principles, ensuring that personal data is processed lawfully, fairly, and securely throughout its lifecycle.
Learn more about our privacy commitments here: Document360 Privacy Policy.
Sub Processor List
| Name of Sub Processor | Purpose of Processing |
| MongoDB | Used as our vector database |
| OpenAI | Provides AI capabilities, utilizing their advanced models |
| Azure | Our cloud provider ensures a scalable and reliable infrastructure |
| Stripe | Facilitates secure payment processing |
| Segment | Used for product analytics to enhance the user experience |
| Mixpanel | Enables advanced analytics |
| Cloudflare | To manage network traffic & firewall |
Document360 supports customer compliance with the EU General Data Protection Regulation (GDPR). When customers process personal data of individuals located in the European Economic Area (EEA), Document360 acts as a data processor and applies appropriate technical and organisational safeguards as required under GDPR.
Our GDPR programme focuses on:
- Lawful and purposelimited processing of personal data
- Strong security controls to protect confidentiality and integrity
- Support for data subject rights such as access, correction, and deletion
- Clear accountability through documented policies and procedures
To formalise these commitments, Document360 offers a Data Processing Agreement (DPA) that incorporates applicable Standard Contractual Clauses (SCCs) for international data transfers.
Customer content and personal data hosted in Document360 are processed within secure Microsoft Azure cloud environments. Azure provides enterprisegrade security controls, resilience, and compliance with internationally recognised standards.
Document360 applies strict access controls, encryption, and monitoring across its infrastructure to ensure customer data remains protected at all times.
Document360 follows defined data retention and deletion practices to ensure personal data is not stored longer than necessary. Customers retain ownership of their content and can request deletion of their data in accordance with contractual and regulatory requirements.
Detailed information is available in our privacy documentation: Privacy Policy
We use cookies and similar technologies to support essential platform functionality, improve user experience, and understand product usage. Cookies are managed in accordance with applicable privacy laws, including GDPR.
For more information, please review our Cookie Policy
Responsible AI at Document360
At Document360, we are committed to transparency with our customers regarding our products and how we use AI to enhance your experience. Here is a comprehensive overview of Eddy AI's functionality, highlighting our robust security measures and privacy practice.
More details are available here: Eddy AI Trust Page
Document360 uses third-party AI services to support specific product features. We do not develop, train, or host our own AI models.
AI capabilities within the platform are powered by OpenAI and are used to assist users with content creation, organization, and improvement. Our use of AI is governed by contractual safeguards, including a Data Processing Agreement (DPA), and is designed to align with our privacy and data protection commitments.
| Data Privacy | Customer data is processed only to deliver AI-assisted functionality within the platform. Data is handled in accordance with our Privacy Policy, contractual commitments, and applicable data protection laws. |
| Model Training | Customer content is not used by Document360 to train AI models. OpenAI processes data in accordance with contractual terms and applicable data protection obligations. |
| Data Security | AI-related data processing is subject to the same security and access controls that apply across the Document360 platform. We rely on OpenAI’s security controls and contractual commitments for model-level protections. |
| Model Security | Model security and infrastructure protections are managed by OpenAI. Document360 does not operate or modify AI models directly. |
| Model Accuracy | AI-generated outputs are intended to assist users and may require human review. Customers remain responsible for reviewing and validating AI-generated content before publication or use. |
| Data Hosting & Locality | AI processing locations are determined by OpenAI’s infrastructure and contractual commitments. Document360 does not independently control AI model hosting locations. |
Legal & Compliance
At Document360, our legal and compliance framework is designed to provide clarity, predictability, and robust protection for our customers. Our Terms of Service clearly outline responsibilities, data ownership, acceptable use, and service commitments, ensuring enterprise-grade adoption and reliability.
We are fully committed to adhering to applicable laws, regulations, and contractual obligations, and maintaining compliance with industry standards relevant to our services.
For any legal, compliance, or regulatory inquiries, or to request access to specific compliance reports such as SOC 2 Type II and ISO/IEC 27001:2022, please contact our team: legal@kovai.co.
