Security
Security practices for Documenso Cloud and self-hosted deployments, along with our vulnerability disclosure process.
Security Practices
Infrastructure Security
Documenso Cloud
The hosted cloud service uses the following security measures:
| Layer | Implementation |
|---|---|
| Hosting | Infrastructure hosted in EU data centers |
| Network | TLS 1.2+ for all connections |
| Database | Managed PostgreSQL with automated backups |
| Storage | Encrypted object storage for documents |
| Monitoring | 24/7 infrastructure monitoring and alerting |
| Updates | Regular security patches applied to all infrastructure |
Self-Hosted
Self-hosted deployments are responsible for their own infrastructure security. See Self-Hosted Security Considerations below.
Data Encryption
Authentication Security
Supported Authentication Methods
| Method | Description |
|---|---|
| Email and password | Traditional authentication with hashed passwords |
| OAuth providers | Google and Microsoft authentication |
| Generic OIDC | Any OpenID Connect provider |
| Team SSO | SAML-based single sign-on for enterprise teams |
| Two-factor authentication | TOTP-based 2FA with recovery codes |
| Passkeys | WebAuthn-based passwordless authentication |
Password Requirements
- Minimum length enforced
- Passwords are hashed using bcrypt before storage
- Password reset tokens are time-limited and single-use
Session Security
- Sessions can be viewed and revoked from account settings
- Session tokens are rotated on authentication events
- Idle sessions expire after a configurable period
Vulnerability Disclosure
Documenso operates a responsible disclosure process for security vulnerabilities.
Do not publicly disclose vulnerabilities until they have been addressed. Public disclosure of unpatched vulnerabilities puts users at risk.
Security Updates
Notification
Security updates are announced through:
Update Policy
- Critical vulnerabilities are patched as quickly as possible
- Security patches are backported to supported versions when feasible
- Release notes include security-related changes
Staying Updated
For self-hosted deployments:
- Watch the GitHub repository for releases
- Subscribe to security advisories
- Apply updates promptly, especially security patches
See Upgrades for update procedures.
Self-Hosted Security Considerations
When self-hosting Documenso, you are responsible for the security of your deployment. The following recommendations apply:
See Environment Variables for security-related configuration options.
Self-hosted deployments have full control over security but also full responsibility. Consider your organisation's security requirements and compliance obligations when configuring your deployment.
Contact
For security-related inquiries:
- Security vulnerabilities: security@documenso.com
- General questions: support@documenso.com
- GitHub: github.com/documenso/documenso
Related
- Security Settings - Account security configuration
- Privacy Policy - Data handling practices
- GDPR - Data protection compliance
- Self-Hosting - Deploy on your own infrastructure
- Environment Variables - Configuration reference