1. Security approach

Doqubox is built for organizations that need a safer way to request, receive, and send client documents than ordinary email attachments. The service combines secure links, recipient verification, encryption, passkey-based account access, retention controls, and EU-oriented service providers.

This page describes the technical and organizational measures we use today. Doqubox is not currently presented as ISO 27001, SOC 2, NEN 7510, or NTA 7516 certified.

2. Architecture

• Document exchange happens through dedicated upload, download, and request pages instead of email attachments.
• Account users access Doqubox with passkeys, reducing password-related risk.
• External recipients can be verified with one-time codes before accessing sensitive flows.
• Temporary document exchange data is designed to expire, with default retention intended to limit unnecessary storage.

3. Encryption and access

Traffic to and from Doqubox is encrypted in transit. Stored files and service data are protected with encryption and access controls. In supported workflows, file content is client-side encrypted so Doqubox does not need ordinary server-side access to the readable document content.

Some data must still be processed by Doqubox to run the service, including account details, request metadata, recipient details, billing data, logs, and email or SMS delivery metadata.

4. Account security

• Passkeys are used for account authentication.
• Company access is scoped to approved users and administrators.
• Activity records help users understand whether files were uploaded, opened, downloaded, or removed.
• Custom domains and branded pages are available for business use cases where client trust matters.

5. Retention and minimization

Doqubox is designed to avoid keeping sensitive document exchange data longer than needed. Temporary messages and files are removed according to retention settings and expiry behavior, while billing, security, and statutory data may be retained for longer.

See the retention page for the current retention matrix.

6. Infrastructure and subprocessors

Doqubox aims to use EU-based infrastructure and subprocessors where practical. Hosting, object storage, and outbound SMTP currently use Hetzner in the EU. SMS verification and payments are handled by specialized providers.

See the subprocessors page for the current list.

7. Operational safeguards

• Access to production systems is limited to people with an operational need.
• Security-relevant events and operational logs support troubleshooting, abuse prevention, and incident response.
• Backups and recovery practices are used to support service continuity.
• Dependencies and infrastructure are reviewed as part of regular maintenance.

8. Important limitations

Client-side encryption is a strong privacy measure, but it also means Doqubox may not be able to inspect encrypted file content server-side for malware, indexing, previews, or content classification. Customers should keep suitable endpoint protection and internal review procedures in place.

Doqubox's security controls are designed to help customers meet GDPR requirements around security, data minimization, and retention for document exchange. Your organization stays in control of what it requests, who receives it, and how those documents fit your own customer processes.

9. Responsible disclosure

If you believe you have found a vulnerability in Doqubox, please report it to security@doqubox.com. We welcome good-faith reports that help protect customers and the people whose documents they handle.

Please include clear reproduction steps, the affected URL or feature, the potential impact, and screenshots or logs where safe to share. Avoid including personal data unless it is strictly necessary to demonstrate the issue.

• Do not destroy, modify, download, or disclose data that is not yours.
• Do not use social engineering, phishing, spam, denial-of-service testing, or physical attacks.
• Stop testing and report promptly if you encounter customer data or can access another account.
• Allow us reasonable time to investigate and resolve the issue before public disclosure.

We aim to acknowledge vulnerability reports within 3 business days. Doqubox does not currently operate a paid bug bounty program, but we appreciate responsible security research conducted within this policy.

10. Related resources

• Data Processing Addendum
• Privacy policy
• Subprocessors