Document Works
FeaturesSovereignty
Log inJoin Waiting List

Security Statement

Version 1.0 — last updated 15 April 2026.

Document Works takes the security of your data seriously. On this page we summarise how we protect the Service technically and organisationally. For the broader privacy context, please see our Privacy Statement. A detailed security whitepaper is available on request for business customers via security@document.works.

Architecture and hosting

  • All infrastructure runs on our own servers at Hetzner Online (DE/FI), entirely within the European Economic Area.
  • No part of the standard Service depends on US cloud providers. AI features use Mistral AI (FR) exclusively, under the Scale Plan with Zero Data Retention.
  • The production environment is separated from development and test environments.

Encryption

  • In transit: TLS 1.2+ for all public endpoints, with HSTS preload for all main domains. A modern cipher policy (no RC4, no SSLv3, no TLS 1.0/1.1).
  • At rest:
    • Database back-ups are GPG-encrypted before being stored.
    • Credentials for connected services (IMAP, SMTP, OAuth tokens, CalDAV passwords) are encrypted in the database with a separate key (ENCRYPTION_KEY), decoupled from other secrets so that key rotation does not affect other components.
    • Passwords are never stored in plain text; authentication runs through a dedicated identity provider with modern hashing algorithms (argon2 or equivalent).

Authentication and access

  • OIDC authentication via a dedicated identity provider, with optional two-factor authentication.
  • Short session tokens (30 minutes) for document editing sessions, rather than long-lived tokens, to limit risk from token leaks.
  • Strict RBAC for multi-tenant data: row-level tenant isolation in the database, audit logs on role changes.
  • Access by Document Works staff to production environments is restricted to a small number of administrators, on a need-to-know basis, always via SSH keys (no passwords), and logged.

Web security

  • Strict Content Security Policy with nonce-based script sources (no unsafe-inline, no unsafe-eval).
  • Defensive HTTP headers: X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy limited to what the Service actually needs.
  • Rate limiting on authentication and API endpoints; aggressive blocking against brute-force and credential stuffing.
  • CSRF protection via standard CSRF tokens.

Logging and monitoring

  • Centralised collection of application and infrastructure logs for security and operational purposes.
  • Audit logs on sensitive actions (login, failed login attempts, permission changes, document access, share operations).
  • Retention: 12 months for audit logs, 30 days for system and error logs.

Back-ups and recovery

  • Encrypted back-ups of all databases, with a rolling window of up to 30 days.
  • Periodically tested recovery plan to verify that back-ups are usable.
  • Geographical redundancy between Hetzner data centres within the EEA.

Sub-processor management

  • Limited set of sub-processors (Mistral, Hetzner). See the public sub-processor list.
  • A written data processing agreement (DPA) under GDPR art. 28 has been concluded with each sub-processor.
  • Changes are announced at least 30 days in advance.

Security reporting and vulnerability policy

We welcome responsible disclosure of security issues. Send your findings to security@document.works and give us a reasonable period to fix the issue before disclosing it publicly. See also /.well-known/security.txt.

Data breaches

In the event of a data breach we follow the procedure of GDPR art. 33/34:

  • In the case of a notifiable data breach, we notify the Dutch Data Protection Authority within 72 hours.
  • In the case of a data breach with a high risk to data subjects, we inform them directly, or via our business customer if the customer is the controller.
  • We carry out an internal post-mortem and share relevant mitigations with our business customers.

Certifications and continuous improvement

Document Works is SOC 2- and ISO/IEC 27001-compliant. Security is an ongoing process: we keep strengthening our controls, keep expanding our self-hosted AI components to reduce the scope of sub-processors, and have periodic pen-tests carried out by an external party.

Document Works

The European Productivity Suite

🇪🇺 Made in Europe

Product

  • Features
  • Security

Company

  • Contact
  • Imprint

Legal

  • Terms of Service
  • Privacy Policy
  • Cookies
  • Acceptable Use
  • Security
  • Sub-processors
  • Data Processing Agreement
© 2026 Document Works. All rights reserved.