Security and trust at DocGenie.
How DocGenie protects your firm’s data and your clients’ financial records. Specific controls, named technologies, and verifiable claims. No marketing language.
- AES-256 at rest
- TLS 1.3 in transit
- SOC 2 aligned
- GLBA-aligned
- Read-only by design
Full policies, controls, and reports live in our Trust Center .
The short version.
DocGenie connects to your clients’ institutions in one of two ways, depending on what the institution supports. The connection mode is shown before you authorize.
Where an institution supports direct authorization, DocGenie receives a read-only token; the credential never touches DocGenie. Where it doesn’t, you provide the credential when you add the institution. It’s encrypted at rest with AES-256-GCM under a key unique to your firm, scoped to document retrieval, and deleted the moment you revoke from your DocGenie account.
In both modes, access is read-only. Documents are encrypted in transit and at rest, delivered to your cloud storage, and every retrieval is logged with timestamp and source.
If you’re handing this page to your IT team, the rest of the page goes deeper.
Two authentication modes. Both read-only.
- Direct authorization.
- Where an institution supports it, DocGenie initiates authorization at the institution and receives a read-only token. The credential never touches DocGenie. Tokens rotate per institution policy (typically 90 to 365 days); re-authorization is requested automatically before expiration.
- Credential-based access.
- Where direct authorization isn’t available, you enter the credential when you add the institution. It’s encrypted at rest with AES-256-GCM under an encryption key unique to your firm. Access is scoped to document retrieval. Revoking from your DocGenie account deletes the credential immediately.
- Read-only by design.
- In both modes, access is bounded to document retrieval. DocGenie cannot move money, change account settings, or access non-document data.
- Connection mode shown up front.
- For every institution you add, DocGenie shows the connection mode (direct or credential-based) before you authorize. No surprises and no after-the-fact disclosures.
Encrypted everywhere, always.
- At rest
- AES-256-GCM on all stored documents, metadata, and retrieval logs.
- In transit
- TLS 1.3 on every connection, including retrieval from institutions and delivery to your cloud storage.
- Cipher suite
- AES-256-GCM. Advanced Encryption Standard in Galois Counter Mode with a 256-bit key. GCM provides an integrity check on the ciphertext and supports additional authenticated data (AAD). Cryptographers consider AES-256-GCM quantum-resistant: theoretical future large-scale quantum attacks reduce the effective key strength to 128 bits, which is still infeasible to brute-force.
- Key management
- Managed key store. Keys rotated annually.
- Scope
- Documents, metadata, retrieval logs, and authorization tokens.
Where DocGenie runs.
- Hosting
- Amazon Web Services (AWS).
- Data residency
- US only.
- Backup
- Automated daily backups.
- Redundancy
- Geographic redundancy across multiple AWS availability zones.
Aligned with industry standards.
-
SOC 2 aligned.
Our security controls are aligned with SOC 2 Type II requirements.
-
GLBA-aligned.
DocGenie’s data handling practices align with the Gramm-Leach-Bliley Act safeguards rule.
-
Annual penetration testing.
External firm conducts an application and infrastructure penetration test annually.
We test our defenses.
- We monitor and test.
- Continuous monitoring of production systems and regular penetration testing against the application and infrastructure.
- Vulnerability disclosure.
- Report security issues to hello@docgenie.cloud. Acknowledged within 24 hours.
- Incident response.
- Documented incident response plan. Customers notified within 72 hours of any confirmed incident affecting their data.
- Cyber insurance.
- DocGenie carries a cyber insurance policy underwritten by Chubb.
- Personnel.
- Background checks completed on every employee with production access. Security training reviewed annually.
Questions for our security team?
For security inquiries, RFI responses, or vendor security reviews, contact us. Acknowledged within 24 hours.