Security & compliance

How we protect your documents

What we do today, who validates it, and how to verify each claim independently.

EU-sovereign hosting

All SealDoc infrastructure runs in European Tier-3 datacenters with ISO 27001 certification at the datacenter level. SealDoc is not directly ISO 27001 certified yet; we surface the underlying datacenter certification rather than overstate our own status.

✓ Data never leaves the European Economic Area
✓ No US hyperscaler dependency — no Cloud Act exposure

Data protection

Documents are encrypted in transit (TLS 1.3) and at rest (LUKS volumes + per-tenant blobs in MinIO). Sensitive platform settings use AES-256-GCM at the field level. Your data is never used for training, profiling, or sold.

✓ TLS 1.3 in transit; LUKS + AES-256-GCM at rest
✓ Per-tenant query filters enforced at the EF Core level
✓ Per-plan retention windows (7 days to custom Enterprise)
✓ GDPR Art. 17 erasure: delete request removes all blobs and DB rows within 30 days

PDF/A-3B conformance

Every document is validated against ISO 19005-3 by VeraPDF after conversion. The validation result (compliant / non-compliant / unknown) is recorded against your tenant and surfaced via the SLI API.

✓ Validated by VeraPDF (open-source, industry-standard)
✓ ISO 19005-3 conformance, profile-3B
✓ VeraPDF-unknown verdicts trigger oncall when >1% in 1h

RFC 3161 trusted timestamps

Every Evidence Pack carries a cryptographically signed timestamp from a Time Stamping Authority. The certificate chain is verified end-to-end on every issuance; chain failures fail-closed.

✓ Compliant with RFC 3161 (IETF Time-Stamp Protocol)
✓ Default: FreeTSA. Enterprise: configurable EU-qualified TSA
✓ Chain validated on every attach; mismatch blocks issuance

Authentication & authorization

User auth runs on Keycloak (self-hosted, in our EU stack). API auth uses 256-bit keys with SHA-256 fingerprinting. Admin policies are database-backed, never claim-only.

✓ Self-hosted Keycloak SSO; no third-party identity provider
✓ 256-bit keys, SHA-256 fingerprint stored, raw value shown once
✓ Zero-trust admin: every privileged action validates against the database
✓ 60/min per unauthenticated IP, 200/min per token, 30/5min on /api/admin/*

Operational transparency

We measure what we promise. Nine business SLIs run continuously over a 30-day window and are exposed to every tenant via the compliance API.

✓ Per-tenant SLI dashboard accessible via /api/compliance/sli
✓ Every state change written to a tamper-evident audit_entries table
✓ Compliance reports available as Factur-X-conformant PDF/A-3 (auditor-ready)

Vulnerability disclosure

Found a security issue? Email security@sealdoc.eu with reproduction steps. We acknowledge within 48 hours and aim to remediate critical issues within 14 days. Researchers acting in good faith will not be pursued legally.

Last updated: May 2026