SubtleDoc AI

Security &
Architecture

Enterprise-grade security with a dedicated deployment for every customer. Your data stays yours.

Core Principles

Built secure
by design

Single-Tenant Isolation

Every customer gets their own dedicated instance. No shared databases, no shared servers, no data commingling.

Encrypted Everywhere

TLS 1.2+ in transit. Encrypted volumes at rest. API keys stored in encrypted environment variables — never in code.

Your Data, Your Control

No customer data is used for AI model training. You can delete all data at any time through the admin panel.

SOC 2 Aligned

Controls aligned with SOC 2 Type I. Type II certification and ISO 27001 on our roadmap.

Architecture

How SubtleDoc
is built

Infrastructure

  • Hosted on Render PaaS (US-based data centers)
  • Dedicated instance per customer with independent scaling
  • 99.9% uptime SLA on paid plans
  • Zero-downtime deployments with auto-restart

Authentication

  • Google OAuth 2.0 — no passwords to manage
  • Email whitelist authorization (only approved users access your instance)
  • Least-privilege OAuth scopes for each service
  • Development mode password-protected and hidden in production

AI Processing

  • Anthropic Claude for classification, search, and action extraction
  • Google Gemini for semantic embeddings
  • Both services contractually prohibited from training on your data
  • Input truncation limits prevent data over-exposure

Data Protection

  • Encrypted persistent storage (EBS volumes)
  • OAuth tokens stored server-side with strict file permissions
  • Optional backup to your own Google Drive
  • Search index fully regenerable in 2-5 minutes

Application Security

Built-in safeguards

Authentication gate Every page requires authentication — no unauthenticated access to any data or functionality.
File validation Strict file type checking: PDF, DOC/DOCX, XLS/XLSX, TXT, JPG/PNG, DWG/DXF only.
Duplicate detection Three-layer duplicate check — filename matching, SHA-256 hash comparison, and 85% semantic similarity threshold.
Secret management All API keys and credentials stored as encrypted environment variables. Zero secrets in source code.
Email ingestion Gmail API integration is read-only. Attachments are pulled and classified — no email modification.

Compliance

Standards alignment

Aligned SOC 2 Type I
Aligned CCPA
Partial GDPR
Roadmap SOC 2 Type II
Roadmap ISO 27001

Questions?

Talk to our team
about security

We're happy to walk through our architecture with your IT team and provide full technical documentation.

Contact Us Back to Home