Security & Trust — NovexDocs

Our commitments to you

✅

We never sell your data.

No advertisers, no data brokers, no marketing lists. Period.

✅

We never train AI models on your data.

Your documents stay yours. We use Anthropic's Claude API, which per their policy does not train on commercial API customers' data by default.

✅

You can delete your data anytime.

Request deletion and we'll remove your documents and personal information within 30 days. We may verify the request comes from the account owner before processing.

✅

We use strong encryption.

AES-256 at rest on AWS S3. TLS 1.2 or higher in transit. These are widely deployed industry standards, including in financial services.

✅

Access is limited to authorized engineers.

Production systems are accessed only via SSH key authentication by named team members — for support, abuse investigation, or legal compliance. We are honest below about what this means in practice.

What we can and can't see

Most document services aren't honest about this. We will be.

⚠️ Honest disclosure

NovexDocs is not a zero-knowledge service. This means:

• When you enable AI extraction, the document is sent to our AI partner (Anthropic) for analysis. They process it and, per their published policy, do not retain it for training.
• Our authorized engineers technically have the ability to access stored documents — e.g., if you contact support, or to investigate suspected abuse.
• Like most cloud services (Google Drive, Dropbox, OneDrive), encryption keys are server-side.
• If you want truly zero-knowledge storage, we recommend products like Proton Drive, Tresorit, or Cryptomator. NovexDocs is built for convenience and AI-powered search, which fundamentally requires server-side access.

Technical security details

🔒 Encryption at rest

All files stored in AWS S3 with AES-256 server-side encryption (SSE-S3). The application database runs on encrypted storage.

🔒 Encryption in transit

All connections use TLS 1.2 or higher. HSTS is enabled. We do not serve mixed content.

🌍 Infrastructure

Hosted on Amazon Web Services in the ap-southeast-1 (Singapore) region. Files are stored in AWS S3, which is designed for 99.999999999% (11 nines) annual durability within the region. We do not currently run multi-region failover, which means an AWS region-wide outage would cause service downtime until AWS restores the region. Daily backups are retained off-instance.

🔑 Authentication

Passwords are stored as bcrypt hashes (cost factor 10). Session tokens are JWT-based. Google OAuth 2.0 is supported for sign-in. Auth endpoints are rate-limited to slow brute-force attempts.

📋 Compliance

Our data handling is aligned with GDPR principles: right to access, right to delete, right to data portability. We are not SOC 2, ISO 27001, or HIPAA certified. See our Privacy Policy for the full picture.

🚨 Incident response

If we identify a data breach that is likely to affect you, we will notify you without undue delay — within 72 hours where feasible — and inform the relevant supervisory authority as required by GDPR Article 33.

🐛 Found a security issue?

We take security seriously. If you discover a vulnerability, please report it responsibly and give us a reasonable window to fix it before public disclosure. We will not pursue legal action against good-faith security researchers who follow responsible disclosure.

Email security@novexdocs.com

This page is updated as our security practices evolve. Last updated: June 2026.

← Return to home · Privacy Policy · Terms of Service

Built on honest transparency