Security
You are trusting us with sensitive business documents — proposals, contracts, financial models, and confidential deal materials. This page explains exactly how we protect them.
All data transmitted between your browser and our servers is encrypted using TLS — the same standard used by banks and financial institutions. This ensures your documents and analytics data cannot be intercepted during transmission.
All documents and user data stored on our servers are encrypted at rest using AES-256 encryption. Your files are encrypted before being written to storage and remain encrypted until retrieved for authorised access.
Document metadata and analytics data are encrypted throughout their entire lifecycle — from upload to storage to retrieval.
Your documents are private. We do not read them.
DocMetrics does not access, read, or use the content of your documents for any purpose other than providing the Service. Your documents are processed automatically to generate page counts, thumbnails, and PDF rendering — this is technical processing only. No human on our team reads your documents.
The only exceptions are when you explicitly grant us access for support purposes, or when we are legally required to produce information by a valid court order or law enforcement request. In the latter case we will notify you before complying unless legally prohibited from doing so.
All internal access to user data is logged with the reason for access and the identity of the person who accessed it. This log is auditable.
DocMetrics is built on the principle that access to sensitive documents should always be the minimum necessary and always revocable. Every sharing feature in the product reflects this.
Password Protection
Require recipients to enter a password before they can view any document or Space.
Email Verification
Require recipients to verify their email address before accessing a shared link so you always know who is viewing.
Domain Restriction
Restrict access to specific email addresses or company domains so only the right people can open your documents.
Link Expiry
Set an expiry date on any share link so access is automatically revoked after a specified period.
Download Blocking
Prevent recipients from downloading documents while still allowing full viewing access.
Dynamic Watermarking
Embed the viewer's email address visibly on every page to deter unauthorised sharing and provide traceability.
NDA Gating
Require recipients to sign a confidentiality agreement before they can access any documents inside a Space.
Instant Revocation
Revoke access to any document or share link instantly from your dashboard at any time.
User passwords are hashed using industry-standard algorithms with per-user salts. We never store passwords in plain text. Our authentication system is protected against brute-force attacks with rate limiting and account lockout mechanisms.
We support two-factor authentication using time-based one-time passwords. We strongly recommend enabling 2FA on your account. Sessions are managed with cryptographically secure tokens and expire automatically after periods of inactivity. You can revoke active sessions at any time from your account settings.
Our application is designed and regularly reviewed to protect against common security vulnerabilities including SQL injection, cross-site scripting, and cross-site request forgery.
Every Space in DocMetrics has its own security layer independent of the documents inside it. You control who enters, what they see, and what they can do once inside.
DocMetrics does not store credit card numbers, CVV codes, or any sensitive payment information on our servers. All payment processing is handled by our payment processor which is PCI DSS compliant. We receive only a tokenised reference to your payment method — never the raw card details.
DocMetrics is designed with GDPR compliance as a core requirement rather than an afterthought. We collect the minimum data necessary to provide the Service, retain it only as long as needed, and support data subject rights including access, deletion, and portability.
For international data transfers we implement appropriate safeguards including Standard Contractual Clauses approved by the European Commission where required. All third-party processors who handle user data on our behalf are required to sign data processing agreements.
In the event of a data breach that affects your personal information, we will notify you within 72 hours as required by GDPR and provide details about what happened, what data was affected, and the steps we are taking to address it.
Your documents and analytics data are retained for as long as your account is active. You can delete individual documents and their associated analytics from your dashboard at any time. Deletion is permanent and cannot be undone.
If you close your account, we will delete your documents and personal data within 90 days unless we are required to retain information for legal or compliance purposes. You can export your documents and analytics data at any time before closing your account.
When data is deleted it is permanently removed from our production systems using secure deletion methods that prevent recovery.
DocMetrics uses trusted third-party service providers to operate parts of the Service including cloud storage, payment processing, and email delivery. All providers are carefully vetted and are required to sign data processing agreements committing them to appropriate security standards.
We maintain a list of our active subprocessors and notify customers of any material changes. You can request the current subprocessor list by contacting us at support@docmetrics.io.
Security is a shared responsibility. While DocMetrics implements robust protection at the platform level, these practices on your end significantly reduce risk.
We welcome reports of potential security vulnerabilities from the security research community. If you believe you have discovered a security issue in DocMetrics, please report it responsibly by emailing support@docmetrics.io with a detailed description of the vulnerability and steps to reproduce it.
Please do not publicly disclose the vulnerability until we have had an opportunity to investigate and address it. We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.
We recognise security researchers who report valid vulnerabilities and will acknowledge your contribution on our security page with your permission.
For security-related enquiries, vulnerability reports, or questions about how we protect your data, contact us at support@docmetrics.io. We aim to respond to all security enquiries within 3 business days.
For general privacy questions or data requests please see our Privacy Policy. For general support please visit our contact page.
We are transparent about how we protect your data and happy to answer any questions before you sign up.
No credit card required
Last updated: March 21, 2026