Security
Built for evidence.
RightsDocket's security posture is designed around one question: if a claim is disputed five years from now, will the evidence stand? The practices below exist to answer yes.
Freshness Check
Last reviewed against:
- •SOC 2 Type II controls framework (AICPA Trust Services Criteria)
- •NIST SP 800-63B Digital Identity Guidelines
- •RFC 3161 Time-Stamp Protocol
- •C2PA Content Credentials 2.3
Reviewed: Apr 10, 2026 · Next review: Jul 10, 2026
Cryptographic guarantees
These three primitives — a content hash, a trusted timestamp, and a tamper-evident signature — are the spine of every RightsDocket record. They are standards-based and independently verifiable without RightsDocket's cooperation.
Content integrity
Every uploaded file and locked content block is hashed. Any change to a byte alters the hash — you can prove the evidence is the same bits that were originally locked.
Trusted timestamps
Content locks are countersigned by FreeTSA under RFC 3161 — a non-repudiable third-party timestamp. Proves when the evidence existed, not just that you claim it did.
Tamper-evident exports
Every provenance pack is signed with RightsDocket's Ed25519 private key. Anyone with the public key can independently verify a pack was not modified after export.
See the verify tool for a working demonstration against a real signed pack.
Data storage & encryption
In transit. All traffic is served over HTTPS with TLS 1.2 or higher. HSTS is enabled with a two-year max-age and subdomain inclusion, so compliant browsers refuse to connect over plaintext.
At rest. The application database and object storage are encrypted at rest by the underlying infrastructure providers (see Sub-processors). User files are stored either in Vercel Blob or Cloudflare R2, both of which encrypt stored objects with provider-managed keys.
Uploaded audio & documents. Files are hashed on ingest. The hash — not the file — is what backs the claim. Files remain accessible to the uploading account only; they are never used to train models.
Retention. Account, project, export, billing, and audit records are retained for as long as the account is active and as required for legal, financial, or fraud-prevention reasons. Account deletion requests are honored per the Privacy Policy.
Authentication & access
User-scoped ownership. Every project record is tied to the authenticated user that created it. Server-side authorization checks run on every API request — a user cannot read or modify another user's projects, files, or claims.
Sign-in. Authentication runs through NextAuth with Google OAuth, GitHub OAuth, or email magic-link. Session tokens are HTTP-only and secure; CSRF protection is enforced on all state-changing API requests.
Share links. Public share tokens expose only the specific materials the user includes in the shared view. Tokens can be revoked at any time.
API keys. Claim API clients authenticate with scoped API keys tied to a single account. Keys are hashed at rest; only the prefix is displayed in the dashboard.
Infrastructure
Application. Hosted on Vercel's serverless edge network with HTTPS-only origins and automatic TLS certificate rotation.
Database. PostgreSQL with network isolation, encrypted backups, and point-in-time recovery.
Security headers. A strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are applied to every response. Script sources, style sources, connection targets, and embed contexts are all whitelisted.
Dependencies. Package updates are automated with lockfile pinning and supply-chain overrides. All production builds run through the same typechecked, tested pipeline.
Sub-processors
RightsDocket uses the following providers to deliver the service. Each receives only the data necessary for its function.
| Provider | Purpose | Data |
|---|---|---|
| Vercel | Application hosting & edge network; blob storage | Application traffic, uploaded files (when Blob is selected) |
| Cloudflare R2 | Object storage (alternate backend) | Uploaded files (when R2 is selected) |
| OAuth sign-in; Gemini API for ASLE audio analysis | OAuth profile; audio file submitted to ASLE (user-initiated) | |
| GitHub | OAuth sign-in | OAuth profile |
| Stripe | Payments & subscription billing | Billing identifiers, payment metadata |
| Resend | Transactional email (magic-link sign-in, notifications) | Email address, email content |
| PostHog | Product analytics | Anonymized usage events, page paths |
| FreeTSA | RFC 3161 trusted timestamping | Hash of locked content (no original content transmitted) |
Responsible disclosure
If you believe you have found a security vulnerability, please report it to security@rightsdocket.com with a description of the issue and steps to reproduce. We ask that you give us a reasonable window to investigate and remediate before publicly disclosing.
We do not currently run a paid bug bounty, but we acknowledge reporters in release notes when invited.
Compliance posture
RightsDocket follows industry-standard security practices but is not currently SOC 2 or ISO 27001 certified. Formal certification is on our roadmap. If your procurement process requires specific attestations, please contact us and we will work through the relevant questionnaires and controls.
GDPR and CCPA requests are fulfilled per the Privacy Policy. Data-processing agreements are available on request for paid accounts.
Security questions or procurement review?
Email security@rightsdocket.com. For general support, use support@rightsdocket.com.
Last updated: April 19, 2026