Security at DocDrawer

Last updated: 12 May 2026

DocDrawer handles invoice and payment-instruction data on behalf of letting agents. We take the security of that data seriously — what follows is how, in concrete terms.

Report a vulnerability: email security@docdrawer.co.uk. We acknowledge reports within one working day. Full machine-readable disclosure policy at /.well-known/security.txt.

1. DocDrawer cannot redirect a supplier payment

The single most important security boundary in DocDrawer is the one between us and supplier bank account numbers. Two rules together make a compromised DocDrawer environment unable to redirect any payment:

1. DocDrawer never writes bank details to PayProp. Account numbers, sort codes, and branch codes are entered directly in PayProp by an authorised PayProp user. DocDrawer's supplier-create flow strips bank-shaped fields client-side and never sends them on the wire. When a payment is published, it uses PayProp's stored bank details — never the invoice's. A compromised DocDrawer account therefore cannot change where money goes.

2. DocDrawer never stores a full account number. The fraud-detection check that compares an invoice's printed bank details against PayProp's record needs some persistent reference for repeat suppliers. DocDrawer stores only the sort code plus the last 4 digits of the account number — the same shape PayProp's own API surfaces back to us (the API masks the rest). Full account numbers exist in memory only for the duration of the per-invoice check, then are discarded. A database-level breach yields (sort, last-4) pairs which on their own cannot redirect a payment.

Defence in depth at review time: when an inbound invoice has bank details printed on it (most contractor invoices do), DocDrawer compares the sort code and last 4 digits against PayProp's record. A green "✓ Verified" pill appears next to the supplier name when both match. A red "⚠ Bank mismatch" pill and warning banner appear when they differ, with one-click links to open the supplier in PayProp and re-check after updating. The mismatch is a detection event, not a payment-failure mode — the underlying payment still routes through PayProp's stored bank details regardless.

The check only runs when the primary supplier match (name / email / company registration / VAT) is already strong, so weak matches don't trigger noisy banners. And the verification deliberately doesn't reveal more than PayProp itself does — DocDrawer compares last-4 against last-4, never against a full account it shouldn't have.

This architecture is recognised by professional indemnity insurers and property-industry bodies (RICS, ARLA).

2. Authentication and access control

Two-factor authentication is mandatory. Either a TOTP authenticator app or a passkey (Touch ID / Face ID / Windows Hello / hardware key). There is no "skip 2FA" option. First-time setup is required before reaching any data.
Sign-in options: email + password (with strong-password rules and breach-corpus check), Google, Microsoft, or Xero. All routed through Supabase's hardened auth service.
Device trust: a trusted-device cookie reduces 2FA prompts on familiar browsers for 30 days. Platform-admin devices get a shorter 12-hour window and full revocation on every sign-out.
Role-based access at the company level (Owner / Manager / Publisher / Reviewer), per-user permissions for sensitive actions (managing users, bulk publishing), and platform-level super-admin separated from regular accounts.
Row-level security on every table holding customer data — Postgres enforces "this user can only see rows for their own companies" at the database layer, not just the application.

3. Encryption

In transit: TLS 1.2+ on every endpoint, HSTS enforced.
At rest: AES-256-GCM on third-party OAuth tokens and other sensitive blobs at the application layer; AWS-managed AES-256 on the underlying database storage.
Webhook integrity: every inbound webhook (Resend, Xero, PayProp, Calendly) is HMAC-signature-verified with a constant-time comparison before any persistence happens.

4. Where your data is stored

All customer data is hosted on Amazon Web Services (eu-west-2 / London). DocDrawer uses two managed platforms on top of AWS:

Supabase for the database, file storage, and authentication. Single region, EU-only, no cross-region replication.
Vercel for application hosting and serverless API functions.

Both Supabase and Vercel are SOC 2 Type II certified. Data does not leave the EU.

Offsite backups: nightly encrypted snapshots are written to Wasabi (also AWS eu-west-2 / London, but a separate provider account). Backups use AES-256-GCM client-side encryption and Wasabi Object Lock in Compliance mode — once written, neither DocDrawer nor an attacker holding our credentials can delete or alter them for 30 days. This is the primary defence against ransomware, accidental deletion, and Supabase-side data loss.

5. Sub-processors

DocDrawer uses the following third-party services to deliver the product. Each is bound by a data-processing agreement and each maintains its own security certifications.

Sub-processor	Purpose	Region
Amazon Web Services	Underlying compute and storage (via Supabase + Vercel)	EU (eu-west-2)
Supabase	Database, authentication, file storage	EU (eu-west-2)
Vercel	Application hosting, serverless API runtime	EU + global edge
Resend	Transactional email (inbound and outbound)	EU + US
Anthropic	AI-assisted document extraction (Claude)	US
Plain	In-app customer support widget	EU + US
Sentry	Error tracking and observability (PII scrubbed)	EU
Wasabi	Encrypted offsite backups (Object Lock Compliance, 30-day immutability)	EU (eu-west-2)
Upstash	Rate-limit counters (Redis); keyed by user ID / IP, no invoice or document content	EU
Voyage AI	Text embeddings of invoice content for supplier and property matching	US
PayProp	Property-management integration (customer-controlled)	EU + global
Xero	Accounting integration (customer-controlled)	EU + global

6. Vulnerability management

Code review. Every change ships via pull request with review before reaching production.
Automated dependency scanning. Dependabot opens fix PRs weekly; npm audit runs on every pull request; gitleaks blocks accidental secret commits.
Internal security review. A full code-and-architecture security review was completed and every finding (critical, high, medium, and low) addressed before this page was published.
External penetration test. Annual.

7. Logging and audit trails

Sensitive administrative actions are recorded with the acting admin, target, timestamp, IP, and user-agent:

Impersonation of a landlord or supplier account
Reset of a user's two-factor authentication
Every change to a user record (in the user's own edit history)
Every published invoice (with the publisher's identity captured at the moment of publish)
Every platform-admin read of another tenant's data (billing usage, statements, debug endpoints)
Every supplier-alias / property-alias mutation — the routing tables an attacker would target to redirect inbound invoices — captured at the database layer regardless of code path

8. Data retention and deletion

Customer data is retained while the customer's account is active. On account closure, data is retained for 90 days to allow recovery (after which it is purged from primary storage). Backups follow their own retention schedule, documented in our disaster-recovery plan and available on request.

Customers can request export or deletion of their data at any time by emailing support@docdrawer.co.uk. We respond within one working day.

9. Incident response

If a security incident affects customer data, we will notify affected customers by email without undue delay — and within 72 hours of becoming aware of it, in line with our obligations under UK GDPR. Notification includes what happened, what data was affected, what we have done, and what affected customers should do.

10. Reporting a security issue

If you believe you have found a security vulnerability in DocDrawer:

Email security@docdrawer.co.uk with a description and reproduction steps.
Please do not publicly disclose the issue until we have had a chance to investigate and respond.
We will acknowledge your report within one working day and keep you informed of progress.
We do not currently run a paid bug bounty programme. We are grateful for any responsible disclosure and credit researchers in release notes where they consent.

11. Certifications and compliance

DocDrawer is being built toward Cyber Essentials certification (UK government scheme). SOC 2 and ISO 27001 are on the roadmap when customer demand justifies the audit cost. Our underlying platforms (AWS, Supabase, Vercel, Resend, Sentry) maintain SOC 2 Type II certification today.