Security

Encryption at rest and in transit

Sensitive client profile fields — including passport numbers, dates of birth, contact details, UCI numbers, and other personal identifiers — are encrypted using AES-256-GCM before being written to the database. Encryption keys are managed separately from the data.

Client portal passwords are hashed using bcrypt and are never stored in plaintext. All data in transit between users, the application, and our infrastructure is protected using TLS (HTTPS).

Canadian data residency

Client and case data is stored in Canada using Supabase managed PostgreSQL, hosted in the AWS ca-central-1 region (Montreal, Canada). Document files are stored in Amazon S3 in the ca-central-1 region.

Docvera chose Canadian data residency to support firms and consultants with obligations or preferences related to domestic data storage for immigration case records.

Access control and tenant isolation

Each firm or consultant operates in an isolated tenant. Case records, client data, documents, and communications are scoped to the tenant and are not accessible to other tenants on the platform.

Workspace access is intended to be limited to authenticated users with an authorized role in the relevant tenant. Client portal access is intended to be limited to the client and case access records associated with the relevant portal session.

Customers remain responsible for who they invite into a workspace and for the security of their own endpoints and credentials.

Document handling

Documents are uploaded and downloaded using time-limited signed URLs. The application is designed so that document objects are not intended to be publicly listed or publicly retrievable without a valid signed request or other authorized access path.

Communications security

Email and WhatsApp are used as delivery channels for notifications, secure links, and reminders. Those channels are not a substitute for legal confidentiality analysis, internal firm policies, or independent identity verification.

Infrastructure providers

Docvera relies on third-party infrastructure and service providers, including Clerk (authentication), Amazon Web Services (document storage, ca-central-1), Supabase (database, ca-central-1), Vercel (hosting and delivery), Resend (email), and Twilio (WhatsApp).

Customer responsibilities

• Use strong authentication and protect account credentials.
• Invite only authorized users and review access regularly.
• Verify client contact details before sending secure links.
• Keep local devices, browsers, and networks reasonably secure.
• Use lawful and professionally appropriate procedures for handling client records.

Incident handling

If we become aware of a confirmed security issue affecting Docvera, we may investigate, take corrective action, and provide notices as appropriate under our contracts, operational practices, and applicable law.

No absolute guarantee

No online service can guarantee complete security, uninterrupted availability, or zero risk.