Security

Our Commitment to Security

At DocuQuire, security is fundamental to everything we do. We understand that mortgage professionals handle highly sensitive financial and personal information, and we are committed to protecting that data with industry-leading security practices.

This page outlines the security measures, technologies, and practices we employ to keep your data and your clients' information safe.

Bank-Level Encryption

All documents and data transmitted through DocuQuire are protected by bank-level encryption:

• 256-bit TLS Encryption in Transit: All data transfers use TLS 1.3 encryption (256-bit), the industry standard for secure communications over the internet
• AES-256 Encrypted Storage: All stored documents are encrypted using AES-256 encryption, the same standard used by banks and government agencies
• Database Encryption: All personal information and metadata stored in our databases is encrypted at rest using AES-256
• Key Management: Encryption keys are managed securely and rotated regularly

This means that even if data were intercepted during transmission or accessed from storage, it would be unreadable without the proper decryption keys. While we process documents on our servers for PDF generation (which is necessary for our service), all data is protected with encryption in transit and at rest, following industry-standard security practices.

Canadian Data Residency

All data stays in Canada: DocuQuire is committed to keeping all personal information and mortgage documents within Canadian borders to ensure compliance with PIPEDA and Canadian privacy regulations.

We do not transfer, store, or process your data outside of Canada without your explicit consent or as required by Canadian law. This ensures that your data is subject to Canadian privacy laws and regulations at all times.

PIPEDA Compliance

DocuQuire is designed and operated to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law. Our compliance includes:

• Consent: We only collect, use, and disclose personal information with your consent
• Purpose Limitation: We collect only the information necessary to provide our Service
• Access and Correction: You have the right to access and correct your personal information
• Accountability: We are accountable for all personal information under our control
• Security Safeguards: We implement appropriate security measures to protect personal information
• Data Retention: We retain information only as long as necessary and delete it securely

For more details about our privacy practices, please see our Privacy Policy.

Secure File Storage

Backblaze B2 Cloud Storage

We use Backblaze B2, a secure cloud storage service, to store all mortgage documents. Backblaze B2 provides:

• Enterprise-grade security and encryption
• 99.999999999% (11 nines) data durability
• Redundant storage across multiple data centers
• Compliance with SOC 2 Type II, ISO 27001, and other security standards
• Canadian data center locations (Toronto)

No Public Access

Documents stored in Backblaze B2 are never publicly accessible. We use presigned URLs with the following security features:

• Time-Limited Access: Presigned URLs expire after a set period (typically 24 hours)
• Single-Use Design: URLs are generated for specific documents and specific users
• Access Control: Only authorized users can generate presigned URLs for documents they have permission to access
• No Directory Listing: There is no way to browse or list documents without proper authorization

This means that even if someone obtained a presigned URL, they could only access that specific document for a limited time, and only if they had the exact URL.

90-Day Auto-Deletion

Automatic Document Deletion: All mortgage documents uploaded to DocuQuire are automatically and permanently deleted after 90 days from the date of upload.

This policy ensures that:

• Sensitive information is not retained longer than necessary
• We comply with data minimization principles under PIPEDA
• The risk of data exposure is minimized over time
• Storage costs remain reasonable, allowing us to offer competitive pricing

Authentication and Access Control

We implement multiple layers of authentication and access control:

• Secure Authentication: All user accounts require strong passwords and secure login credentials
• Session Management: User sessions are securely managed with timeouts and secure session tokens
• Role-Based Access: Users can only access documents and features appropriate to their role and permissions
• Audit Logging: All access to documents and sensitive operations is logged for security auditing
• IP Restrictions: Optional IP address restrictions can be configured for enterprise accounts

Infrastructure Security

Network Security

• Firewalls and intrusion detection systems
• DDoS protection and mitigation
• Regular security monitoring and threat detection
• Network segmentation to isolate sensitive systems

Server Security

• Regular security updates and patches
• Hardened server configurations
• Vulnerability scanning and penetration testing
• Secure configuration management

Application Security

• Secure coding practices and code reviews
• Input validation and sanitization
• Protection against common web vulnerabilities (OWASP Top 10)
• Regular security audits and assessments

Incident Response

We maintain a comprehensive incident response plan to address any security incidents:

• Detection: Continuous monitoring for security threats and anomalies
• Response: Rapid response procedures to contain and mitigate security incidents
• Notification: Prompt notification of affected users in the event of a data breach, as required by PIPEDA
• Recovery: Procedures to restore services and prevent future incidents
• Documentation: Thorough documentation of all security incidents and responses

Third-Party Security

We work only with trusted third-party service providers that meet high security standards:

• Stripe: PCI DSS Level 1 certified payment processor
• Mailgun: Secure email delivery service with encryption
• Twilio: Secure SMS messaging with encryption
• Backblaze: SOC 2 Type II and ISO 27001 certified storage provider

All third-party integrations are regularly reviewed and monitored for security compliance.

Security Best Practices for Users

While we implement robust security measures, users also play an important role in maintaining security:

• Use a strong, unique password for your DocuQuire account
• Never share your account credentials with others
• Log out of your account when using shared computers
• Keep your contact information up to date so we can notify you of important security updates
• Report any suspicious activity or security concerns immediately
• Only upload documents that are necessary for mortgage processing

Security Certifications and Compliance

DocuQuire is committed to maintaining and improving our security posture. We are working toward obtaining industry-standard security certifications and regularly review our practices against:

• PIPEDA compliance requirements
• OWASP security best practices
• NIST Cybersecurity Framework
• ISO 27001 information security standards

Reporting Security Issues

If you discover a security vulnerability or have concerns about our security practices, please contact us immediately:

We take all security reports seriously and will investigate and respond promptly. Please do not publicly disclose security vulnerabilities until we have had an opportunity to address them.

Questions About Security?

If you have questions about our security practices or would like more information, please don't hesitate to contact us at support@docuquire.com.

We are committed to transparency about our security practices and are happy to address any concerns you may have.