Security
Last updated 2026-05-22
Undocsend stores the documents you use to raise money, close deals, and run diligence. We take that responsibility seriously. This page describes the security controls that protect your workspace and its documents.
Encryption
At rest. Documents are stored on Cloudflare R2 and Supabase Storage, both of which encrypt object data at rest using AES-256. Database contents (workspace metadata, analytics, audit logs) are encrypted at rest by Supabase.
In transit.All connections to undocsend use TLS 1.2 or higher. Documents transit encrypted from your browser to our infrastructure and from our infrastructure to the recipient Visitor’s browser.
Authentication
Undocsend uses Supabase Auth for both Operators and Visitors. Authentication is passwordless: Operators sign in via magic-link or supported SSO provider, and Visitors verify their email address via a one-time link before opening a shared dealroom. There are no user-chosen passwords to leak.
Authorization
Authorization is enforced at multiple layers:
- Row-level security (RLS) at the database boundary. Every query is scoped to the requesting user’s workspace; cross-workspace reads or writes are denied at the database level, not just by application code.
- Workspace isolation. Documents, audit logs, branding, and analytics are partitioned by workspace. There is no shared mutable state between workspaces.
- Share-link scoping. Each share link is bound to a specific dealroom, visitor (if email-gated), and (optionally) expiration. Links can be revoked at any time.
Audit logging
Three audit streams capture the actions that matter:
- Visitor audit. Every Visitor session, page view, download, and Q&A submission is logged. Operators can export the visitor audit for any dealroom.
- Admin audit. Every Operator and admin action against a workspace (settings changes, member changes, document uploads, share-link creation and revocation) is logged.
- Staff audit. Every undocsend staff action against a workspace (impersonation, support access, configuration override) is logged and available to the Operator on request.
Sub-processors
We rely on a small set of vetted vendors for hosting, storage, email, analytics, error monitoring, AI processing, and billing. The current list, the data each receives, and a link to each vendor’s DPA is published at /subprocessors. We give Operators at least 30 days’ notice before adding a new sub-processor.
Incident response
We monitor the Service for anomalies and triage alerts on a 24/7 rotation. If we confirm a security incident affecting your workspace, we will notify affected Operators within 72 hours of confirmation, with the information required by applicable breach-notification law and a remediation plan.
Backup and recovery
Database backups use Supabase point-in-time recovery so we can restore application data to any point in the supported retention window. Document storage on Cloudflare R2 is protected by bucket lifecycle policies that align with the retention windows described in our Privacy Policy.
Penetration testing
Roadmap: external penetration test scheduled — date pending. Results and remediation summary will be made available to qualifying Operators under NDA once the engagement closes.
SOC 2
Roadmap: SOC 2 Type I observation period and audit are on the roadmap. We are designing our controls against the SOC 2 Trust Services Criteria from day one so we can begin the observation window as soon as launch traffic stabilizes.
Responsible disclosure
We welcome reports from security researchers. Please send any findings to security@undocsend.com. Do not access data that is not your own, do not run disruptive scans against production, and give us a reasonable window to remediate before public disclosure. We will acknowledge reports promptly and credit researchers who follow this process.