Sharkforce Inc. takes the security of Docshark seriously. This page summarizes the protections we have in place and explains how to report a security issue. We welcome reports from the security community and want researchers to be able to work with us in good faith.
1. Security overview
We protect data in transit with TLS/HTTPS. We apply access controls based on least privilege for production systems, so access to data is limited to what is needed. Docshark maintains a tamper-evident, hash-chained audit log together with SHA-256 document-integrity hashing, and supports optional PAdES sealing of completed PDFs with RFC 3161 trusted timestamps. The service is hosted on Google Cloud. For the providers that process data on our behalf and our processor commitments, see our Subprocessors list (/legal/subprocessors) and our Data Processing Addendum (/legal/dpa).
2. Data protection
How we collect, use, retain, and protect personal information is described in the Docshark Privacy Notice (/legal/privacy). Our obligations when we process personal data on behalf of customers - including security measures, subprocessors, and international transfers - are set out in our Data Processing Addendum (/legal/dpa). Please review those documents for the detail behind the controls summarized here.
3. Reporting a vulnerability
If you believe you have found a security vulnerability, email us at security@doc-shark.com. Please include enough detail for us to reproduce and assess the issue: the steps to reproduce, the potential impact, and any proof-of-concept. To keep everyone safe while you research, please do not access, modify, or delete other people's data, do not run destructive or disruptive tests, and give us a reasonable amount of time to investigate and remediate before disclosing the issue publicly.
4. Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action against you for that research. If legal action is brought against you by a third party for activity that complied with this policy, we will make it known that your actions were conducted in compliance with it. This safe harbor does not apply to activity that violates the law or that intentionally harms users or data.
5. Our response
We acknowledge reports we receive and work to validate and remediate confirmed issues on a timeline that reflects their severity. We may follow up for additional detail, and we appreciate coordinated disclosure while a fix is in progress. We do not operate a paid bug-bounty program at this time, so we are not able to offer monetary rewards, but we are grateful for responsible reports and will credit researchers on request where appropriate.
6. Scope
In scope: the doc-shark.com website and the Docshark application. Out of scope: third-party services and infrastructure we do not operate (including our subprocessors' own systems), social-engineering of our staff, customers, or vendors, and volumetric or denial-of-service (DoS/DDoS) testing. Findings that require physical access, a rooted or compromised device, or already-privileged access are generally out of scope. If you are unsure whether something is in scope, contact us before testing.
7. Machine-readable policy
A machine-readable version of this policy, following RFC 9116, is published at /.well-known/security.txt.