Nobody should see your data. Not even us.
Safeguarding our customers’ data is the most important task for us. Whether it’s our software architecture, or encryption capabilities, or even our user interface – everything is designed with an emphasis on data privacy and data security.
Docyt is SOC2 Type II compliant.
From the moment you sign up, your data is protected with bank/military grade encryption. We encrypt data at rest, on the disk, between web browser or phone and our servers, between our servers and partner services, and all communication between our servers.
Docyt has default 2-factor authentication. Every time an important change is detected or a new device is used to login, we send a text message with an authorization code to your primary phone. Any unusual activity is also immediately reported on your verified email.
Facial Recognition or Fingerprint Sign-In
It is intentional that Docyt is not available on devices with poor or non-existent fingerprint or facial recognition sign-in. Fingerprint or facial recognition sign-in not only fastens the process, but also secures your PIN from prying eyes.
Data locked to
Your account and data are locked to your primary phone and any other authenticated devices you add. The data on the cloud can only be decrypted by your device. Combining your PIN, authenticated device, and fingerprint or facial recognition encryption keys, it is next to impossible to steal your data.
We use the highest protocols and frameworks for cloud services authentication. These standards offer higher levels of protection when your data is being transferred from one cloud service to another, such as from Docyt to QuickBooks Online. We actively check for updates to these protocols.
Docyt performs comprehensive tests spanning many aspects of how different systems interact. These tests are the gold standard of online information exchange security. These same rigorous standards are used by PayPal, Visa, and online banking services.
Every Docyt user gets a secure key (RSA-2048 bit private key) which is generated for you when your account is created. This secure key is encrypted further using a special type of key which is generated by combining:
- User’s PIN: This is known only to the user.
- A split knowledge, dual-control key: This is known to our servers and no one else. This special key is split into two components, each of which is stored in a different secured location and managed by a different Docyt employee. Anytime our servers restart, both parts of this key must be manually entered by both employees – much like a nuclear launch panel. These two components are securely combined in memory when Docyt servers start and are not saved to disk. If the server loses power, this key is wiped out from memory.
Having such a setup for saving secure keys ensures that not even Docyt employees can look into your private data. This is also why it is extremely important to protect your account PIN, and never share it with anyone.
User access is tightly controlled through roles and permissions in different modules of Docyt and activity in those modules is also logged.
When you sign-in to Docyt from your authenticated device, your PIN and the dual-control key is used by Docyt servers to decrypt and retrieve your unique secure key. We then use this secure key as a password for the AES-256 bit encryption that encrypts every document or data that you upload. Even the sensitive fields for documents (SSN, account numbers) are encrypted using the same mechanism as the document files. Hence all data that sits in our disks is encrypted and can only be decrypted by your device. In the extreme case of physical theft of our disks, all such encrypted data on them will be useless.
The RSA-2048 bit and AES-256 bit encryption algorithms are widely accepted as the highest level of encryption algorithms for bank and military grade security. Anytime your secure keys or PIN are in transit, between our servers or between your web browser or phone and our servers, the communication is encrypted using HTTPS+TLC.
No. Docyt does not see or store your login ID and password when retrieving data from financial institutions. Docyt works directly with banking technology partners like Plaid to connect with the bank and credit card institutions and in the process never sees the user’s credentials.
When you share a document with another Docyt user, Docyt gives this other user’s secure key access to this document. When you revoke their access, we revoke their secure key’s access to your document.
It is important to note that these protections do not extend if you email a document or export the document out of Docyt to other applications.
We save your secure key in your iPhone’s iCloud Keychain. This is a rock solid secure framework built by Apple to secure your passwords and other sensitive information. When you provide your PIN to sign-in to Docyt, you are essentially opening the lock on iCloud Keychain. If you forget your account PIN, and click on the “Forget PIN” link, we ask for your phone number and send a secret code via text message to the primary phone number connected with your account. Upon providing this secret code, we let you set your new PIN, which unlocks iCloud Keychain and retrieves your secure key. We then encrypt this secure key with your new PIN.
Read about how Apple iCloud Keychain works.
If your phone is stolen, to access your data someone needs to first be able to get past your iPhone PIN as well as your Docyt PIN. We recommend enabling and setting up your fingerprint or facial recognition on your phone for an extra level of security. With fingerprint or facial recognition enabled, Docyt will ask for your fingerprint or facial recognition before displaying any information about your extra sensitive documents (SSN, account numbers, tax documents, etc.).
We highly recommend that all Docyt users keep their phones locked with a strong PIN and enable the manufacturer-provided fingerprint or facial recognition authentication.
Your Docyt account is strongly tied to your primary phone number, which you used to create your account. We use your primary phone number to send a secret 2-factor authentication code by text message anytime we detect a major change in your account or if you are requesting a reset of your Docyt PIN. If you lose access to this primary phone, the only way to continue with Docyt will be to talk to your telecom service provider and regain control of your primary phone number. After you regain control of your phone number, you can use a new phone device, install Docyt on it, and provide your Docyt PIN during sign-in. At this point, if you have forgotten your PIN, your data cannot be loaded on your new phone and is lost forever. If you correctly provide your PIN, and enter the secret code sent on your primary phone number, Docyt app will re-download all your data back.
We do allow you to add your account on multiple devices, but the primary phone number is where we always send the 2-factor authentication code. We highly recommend not to use Docyt with phone numbers you may lose access to.
You should always enable Touch ID and Face ID on your iPhone for additional security.
You are still protected with Docyt, as long as your PIN is not compromised. In order for someone to access your account data using the hacked phone number, they still need a phone device containing a copy of your secure key. This secure key is downloaded from our servers to a new phone device only when a correct PIN decrypts the encryption on our server. Without the PIN, the hacker can’t see your data.
If you lose access to your phone number, we recommend that you try to recover it by working with your cell phone carrier. Once recovered, update your PIN immediately.
If you cannot regain access to your original phone number, you need to login to a device that is authorized with Docyt and update it with your new phone number.