Security

Infrastructure

• All services run on Cloudflare Workers — globally distributed, DDoS-protected edge infrastructure.
• Data is stored in Cloudflare D1, KV, and R2 — managed, encrypted-at-rest primitives.
• All traffic is served over TLS 1.2+. Plaintext HTTP is not accepted.
• API keys are hashed before storage. We never store plaintext credentials.

Payments

• Card payments are processed by Stripe. We never see or store card numbers, CVVs, or raw payment data.
• USDC payments via x402 are settled on Base mainnet — a public Ethereum L2. No private keys are held by DocImprint.

Document handling

• Uploaded documents are processed in memory and not persisted beyond your request unless you explicitly use document memory features.
• Stored bundles are scoped to your API key and not accessible to other users.
• On-chain notarization publishes only a cryptographic hash — document content is never written to the blockchain.

Access controls

• API access requires a valid API key or x402 payment signature on every request.
• Rate limiting is enforced per key to prevent abuse.
• Internal systems follow least-privilege access principles.

Responsible disclosure

If you discover a security vulnerability in DocImprint, please report it to us privately before public disclosure. We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 30 days.

Email: security@sawftware.co

Please encrypt sensitive reports using our PGP key if available, or contact us first to arrange a secure channel.

Scope

In scope for security reports:

• Authentication and authorization bypass
• Data exposure across API key boundaries
• Injection vulnerabilities (SQL, code, prompt)
• Payment or billing manipulation

Out of scope:

• Denial of service attacks
• Social engineering of Sawftware staff
• Issues in third-party services (Stripe, Cloudflare, Base)