OpenShut is built with security and compliance at its core. This page documents every security control, compliance framework, and data protection practice we implement.
Last updated: April 2026
AES-256 server-side encryption on all stored documents and data via AWS S3.
TLS 1.2+ enforced on all connections. HSTS enabled with 2-year max-age.
PostgreSQL with encryption at rest via Supabase managed infrastructure.
bcrypt with cost factor 12 for all user-facing passwords (share links).
Four-tier role system: Owner, Admin, Member, Viewer. Granular permission checks on all API endpoints.
Enterprise SSO via Clerk. Multi-factor authentication supported.
SHA-256 hashed API keys with per-key permissions and rate limiting.
Secure session tokens with automatic expiry via Clerk.
SHA-256 checksums computed and stored for every generated document. Tamper detection on verification.
Comprehensive audit logging of all user actions, API calls, and system events with IP tracking.
Automated data retention enforcement: audit logs (2 years), share links (30 days post-expiry), webhook logs (90 days).
Time-limited share links with optional password protection, view limits, and revocation.
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Four-tier rate limiting on all endpoints: dashboard (60/min), write (20/min), public (30/min), export (5/min).
HMAC-SHA256 signed webhook payloads. Auto-disable after 10 consecutive failures.
Server-side validation on all API inputs. Parameterized database queries via Prisma ORM.
Full data portability via /api/gdpr/export. Download all organization data as JSON.
Complete data deletion via /api/gdpr/delete. Removes all DB records and S3 objects.
Only collect data necessary for document generation. No tracking pixels or third-party analytics.
See our sub-processor list below for all third parties that process your data.
Audit engagement planned. All technical controls are in place.
Self-assessment questionnaire (CAIQ) in progress.
Data export, deletion, consent management, and DPA available on request.
California Consumer Privacy Act compliance via GDPR controls.
The following third-party services process data on behalf of OpenShut. Each is bound by a Data Processing Agreement (DPA).
| Service | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and edge deployment | United States |
| Supabase | PostgreSQL database hosting | United States (AWS us-east-1) |
| AWS S3 | Document storage with AES-256 encryption | United States (us-east-1) |
| Clerk | Authentication and user management | United States |
| xAI (Grok) | AI-powered document generation | United States |
| AWS Textract | OCR processing for uploaded documents | United States (us-east-1) |
| Inngest | Background job processing | United States |
| Stripe | Payment processing | United States |
OpenShut offers a Data Processing Agreement (DPA) to all customers who require one for GDPR or other regulatory compliance. Contact legal@openshut.me to request a copy.
To report a security vulnerability or request security documentation, contact security@openshut.me.