Compliance

Self-hosted means we are not in your data path.

Last updated 7th June 2026

Two scopes, one rule

Documize compliance has two scopes, and almost every procurement question you might ask sits cleanly inside one of them.

Your Documize instance — the software you install on your infrastructure. Documents, spaces, attachments, comments, user accounts. Documize Inc. never receives any of this data. You are the controller (and, where applicable, the processor); we are not in the data path.
documize.com — the website you used to buy a license. Limited personal data: name, email, billing address, IP, the license record. Documize Inc. is the controller of this data, and we comply with the regulations that apply to it. See our Privacy Policy for the controller-side detail.

The rule is: any vendor question that names Your Data — "where do you store it?", "how do you encrypt it?", "who at your company can see it?" — has the same answer. We don't have it. We never had it. We will never have it. The certifications and controls you need apply to your environment.

How self-hosting changes the picture

Self-hosted software is a categorically different vendor relationship from SaaS. The regulatory consequences:

We are not a data processor for Your Data. No DPA, no Article 28 obligations, no sub-processor list to maintain.
We are not a Business Associate. No BAA, no §164.314 obligations.
We are not in your cardholder-data environment. Card data does not flow to us.
We hold no data-residency liability for Your Data. It stays where you put it.
Government data requests against us cannot reach Your Data. We have nothing to produce.
Our certifications are not load-bearing for your audit. Yours are.

GDPR / UK GDPR

For Your Data, Documize Inc. is not a processor. Article 28 obligations do not apply to us; no data-processing agreement is required for Your Data. Operational data stays in the jurisdiction you install in — transfer mechanisms (SCCs, UK IDTA, adequacy decisions) are not required because no transfer to Documize Inc. occurs. Subject-rights workflows (access, rectification, erasure, portability) execute inside your instance — you set the response timeline; we are not in the chain.

For documize.com account and billing PII, Documize Inc. is the controller. Lawful basis, retention, and data-subject rights are described in our Privacy Policy. A standard DPA is available on request for that limited PII.

HIPAA

Electronic protected health information (ePHI) entered into your Documize instance never reaches Documize Inc. We are not a Business Associate, and no Business Associate Agreement with Documize Inc. is required. Run Documize inside your existing HIPAA-compliant environment; the §164.308, §164.310, and §164.312 controls you have already implemented apply unchanged. Documize's space- and document-level permissions and audit logs support the access-control and audit-control requirements of §164.312(a) and (b).

PCI DSS

Documize deploys inside your network, including inside your cardholder-data environment if that is where the relevant content lives. No card data flows to Documize Inc. as part of operating your instance.

For license purchases on documize.com, payment card data is handled exclusively by Stripe (PCI DSS Level 1). We never see or store full card numbers.

SOC 2 / ISO 27001

The standard reason an enterprise SaaS vendor needs a SOC 2 Type II report or an ISO 27001 certificate is to assure the buyer that the vendor's hosting of buyer data meets a recognised control standard. That reason does not apply to Documize, because we do not host your data.

Your Documize instance runs inside the boundary your auditors already cover. The controls you have already designed, implemented, and tested for that boundary apply to Documize unchanged. Documize Inc. does not currently hold a SOC 2 Type II attestation or an ISO 27001 certificate; the architecture is the assurance.

DORA (EU financial)

The Digital Operational Resilience Act requires financial entities to demonstrate ICT control, including over critical third-party ICT providers. Because Documize Inc. is not in the operational data path, the third-party register obligation under Article 28 is dramatically reduced for Documize versus a SaaS equivalent. You retain end-to-end ICT control over the Documize instance. Source escrow and continuity arrangements are available on Enterprise plans, on request — and the open source Community edition is a continuity answer by construction.

FISMA, FedRAMP context, ITAR, defense, classified networks

Documize supports air-gapped operation. There is no phone-home; license validation works offline. The software runs in fully disconnected networks, on hardware you control, with no requirement for outbound internet access. Documize Inc. does not hold a FedRAMP authorisation; deployments inside accredited environments inherit the host environment's authorisation boundary.

CLOUD Act, Schrems II, Quebec Law 25

Documize Inc. is a Canadian corporation, outside US jurisdiction for CLOUD Act purposes. Even so, US-government compulsion against Documize Inc. for Your Data cannot succeed, because we never receive Your Data — there is nothing to compel us to produce. Transfer Impact Assessments (TIAs) for Your Data collapse to a single conclusion: no transfer to Documize Inc. occurs, and Documize Inc. is not a US-parented vendor.

For documize.com account and billing PII, Documize Inc. is a recipient and the standard TIA / disclosure analysis applies. That data is limited to name, email, billing address, IP, and license records.

Data residency laws

China PIPL, India DPDP, Saudi Arabia PDPL, UAE Federal DPL, Russia Federal Law 242-FZ, Brazil LGPD, and similar localisation regimes mandate that certain categories of data remain within national borders. Self-hosting Documize satisfies these by construction: whichever country, region, building, or rack you install in, that is where Your Data stays. Permanently. Documize Inc. does not need to be on an approved cross-border transfer list, because we are not a recipient.

NIST CSF, ISMS, sectoral frameworks

Self-hosting preserves your control mappings. Identify, Protect, Detect, Respond, and Recover all execute inside your environment. Documize provides the audit logs, granular permissions, and directory-service authentication that several CSF subcategories require evidence for; the rest is your own infrastructure.

What is still your responsibility

Encryption-at-rest configuration on your database.
Network exposure model (public, VPN-only, private network, fully air-gapped).
Backups and disaster recovery for the database.
User provisioning, LDAP / Active Directory / Keycloak / CAS configuration, role assignment, deprovisioning.
Audit log retention and SIEM integration.
Incident response runbook for the Documize instance.
Data Protection Impact Assessment (DPIA) and Transfer Impact Assessment (TIA), where applicable.

What Documize provides to make your audit easier

Authentication via LDAP, Active Directory, Keycloak, and CAS.
Granular space- and document-level permissions across content and administrative functions.
Activity streams and audit logs for sensitive operations.
An open source Community edition — inspect the code your data runs on; vendor viability is answered by construction.
Source escrow and continuity arrangements on Enterprise plans, on request.
Vendor questionnaire response describing the architectural premise above — available for any procurement team.

documize.com website (the limited scope where we are a vendor)

The website itself runs on Cloudflare Workers with a managed PostgreSQL database. Stripe handles payment processing. The website holds only the personal information described in our Privacy Policy — never any of Your Data. Standard practices apply: TLS, a content security policy, automated dependency updates, routine review. A standard DPA is available for the limited PII we process here.

Procurement Q&A

Are you SOC 2 Type II certified? Not currently. Because Documize is self-hosted, the controls a SOC 2 report would attest to apply to your environment, not ours. We are happy to supply a vendor questionnaire response that explains this in the form your procurement team uses.

Are you GDPR-compliant? Documize Inc. is not a processor for Your Data, so the question is malformed for the software. For the limited PII we process for documize.com accounts and billing, we comply with GDPR as a controller — see our Privacy Policy.

Do we need a DPA with Documize? For Your Data, no — we are not a processor. For documize.com account and billing PII, our standard DPA is available on request.

Do we need a BAA with Documize? No. Documize Inc. does not receive ePHI and is not a Business Associate.

How do you respond to government data requests? For Your Data, we have nothing to produce in response to a subpoena, warrant, or national-security letter, because we never receive it. For documize.com account and billing PII, we follow standard process: notify the customer where legally permitted, produce only the minimum legally required, challenge overbroad requests.

Can we get an architecture diagram for our risk team? Yes. Email security@documize.com.

Can we get source escrow? Yes, on Enterprise plans, on request — and the Community edition source is already public.

Can we have a pen-test report on the software? We welcome customer-commissioned penetration tests against your own instance — please coordinate timing with us at security@documize.com.

Procurement and vendor questionnaire contact

For vendor security assessments, DPA requests, architecture diagrams, source escrow, and similar procurement matters: security@documize.com. We acknowledge within 2 business days.

A note on overclaim

The architectural premise on this page is durable, true, and easily verifiable. We have deliberately resisted listing certifications we do not hold, or claiming a posture against regulations that do not in fact apply to us in the way they apply to a SaaS vendor. If something on this page reads as overclaim — or if your procurement team needs clarification we have not anticipated — tell us at security@documize.com. We will fix the page.