Security at ApplyOCR

Enterprise-grade security built into every layer of our platform. Your data's protection is our highest priority.

Our Security Principles

Security by Design

Security is built into every component from the ground up, not added as an afterthought.

Zero Knowledge

We never store your document contents. Data is processed and immediately deleted.

Continuous Monitoring

Continuous logging with structured logs and error tracking. Real-time alerting system planned for future implementation.

Strong Encryption

TLS encryption for all data in transit (when deployed with proper infrastructure). Infrastructure-level encryption at rest.

Data Security

Encryption

Data in Transit

  • TLS encryption for all API communications (version depends on infrastructure configuration)
  • Strong cipher suites supported
  • HTTPS enforced when deployed with proper infrastructure

Data at Rest

  • Infrastructure-level encryption provided by cloud provider
  • Bcrypt password hashing with salt (industry standard)
  • SHA-256 hashing for API key storage
  • Encrypted database backups

Data Lifecycle Management

Document Processing Flow

  1. Upload: Document uploaded via encrypted HTTPS connection
  2. Validation: File type, size validation, and content inspection
  3. Processing: OCR extraction in isolated, ephemeral containers
  4. Response: Results returned to you via API
  5. Deletion: Immediate deletion of uploaded document and extracted text
  6. Logging: Only metadata (filename, size, processing time) retained for analytics
Zero Data Retention
We do not store document contents or extracted text. Your sensitive data never persists on our servers beyond processing time.

Infrastructure Security

Network Security

  • Rate Limiting: Tier-based API rate limiting to prevent abuse
  • Input Validation: Strict validation of all inputs using Pydantic schemas
  • Network Segmentation: Basic Docker networking isolation between containers
  • HTTPS: Traffic encrypted with TLS when deployed with proper infrastructure
  • Infrastructure Isolation: Database and processing layers can be isolated when deployed with VPC/private subnets

Container & Application Security

  • Immutable Infrastructure: Containers rebuilt for each deployment, never patched in place
  • Vulnerability Scanning: Tools available for scanning container images (pip-audit, bandit) - automation in progress
  • Least Privilege: Containers run with minimal permissions
  • Resource Isolation: CPU and memory limits prevent resource exhaustion attacks
  • Regular Updates: Base images and dependencies updated regularly

Access Controls

  • API Key Authentication: SHA-256 hashed API keys for programmatic access
  • JWT Session Management: Secure token-based authentication with expiration
  • Tier-Based Permissions: Feature access controlled by subscription tier
  • Automated Account Lockout: Protection against brute force attacks via rate limiting
  • Audit Logging: All API requests and authentication attempts logged

Application Security

Secure Development Practices

Security Testing

  • Dependency vulnerability scanning tools available (pip-audit)
  • Static code analysis tools available (Bandit)
  • Security tooling available for manual and automated use
  • Regular security audits and updates

Secure SDLC

  • Security code reviews for all changes
  • Version control and change tracking
  • Security tooling available for dependency scanning
  • Regular security reviews and updates

Vulnerability Management

  • Responsible disclosure program
  • Coordinated vulnerability disclosure process
  • Rapid response for critical vulnerabilities
  • Regular security updates and patches

Protection Against Common Attacks

  • SQL Injection: Parameterized queries and SQLAlchemy ORM protection
  • Cross-Site Scripting (XSS): Content Security Policy (CSP) headers with automatic output encoding. Note: CSP currently allows inline scripts for functionality; further hardening planned.
  • CSRF Protection: Stateless API design with JWT/API key authentication (no session cookies)
  • Authentication Attacks: Tier-based rate limiting, automatic lockout, bcrypt password hashing
  • File Upload Attacks: Magic byte validation, file type verification, compression bomb detection, size limits
  • API Abuse: Redis-based distributed rate limiting with per-endpoint and per-tier controls

Monitoring & Incident Response

Security Monitoring

  • Structured application logging with request tracking
  • Error tracking and logging (real-time alerting system in development)
  • Failed authentication attempt logging
  • Rate limit violation tracking and automated blocking
  • Infrastructure-level monitoring available when deployed with cloud provider

Incident Response

  • Documented incident response procedures
  • Rapid response process for security incidents
  • Regular security audits and updates
  • Post-incident analysis and continuous improvement
  • Customer notification within 72 hours for data breaches (GDPR compliant)

Compliance & Certifications

ApplyOCR implements security practices aligned with industry standards and compliance with global data protection regulations.

GDPR Compliant CCPA Compliant Security Practices Based on ISO 27001 Guidelines

Responsible Disclosure

We value the security research community and welcome responsible disclosure of security vulnerabilities.

How to Report

  1. Email security findings to security@applyocr.com
  2. Include detailed description, steps to reproduce, and potential impact
  3. Allow us 90 days to address the issue before public disclosure
  4. Do not access or modify customer data during testing

What to Expect

  • Timely response to all valid reports
  • Regular updates on remediation progress
  • Public acknowledgment (if desired)
  • Good faith cooperation and no legal action for responsible disclosure
We are committed to working with security researchers to protect our users. Researchers acting in good faith will not face legal action.