// Trust & Security Report
Docalysis
AI-powered document chat platform for PDFs, CSVs, and text files. Products: Chat (interactive Q&A), Batch (bulk processing), Embed (integrable chatbot), API (developer access).
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 6 unconfirmed / not-held certifications
source: docalysis.com"Currently engaged in attaining SOC 2 compliance" and can furnish engagement letters from compliance provider.
source: docalysis.comNo public evidence of ISO 27001 certification on vendor domain.
source: docalysis.comPrivacy policy mentions third-party vendors (Google, Facebook, Amazon, Mixpanel) but does not explicitly address GDPR compliance or DPA availability.
source: docalysis.comPayment processing handled by Stripe (certified PCI Level 1), not by Docalysis directly. Docalysis does not store credit card data.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
US (AWS S3 default regions unstated)
Docalysis uses OpenAI's ChatGPT API. OpenAI's API does not train on inputs/outputs by default after 30 days per OpenAI's enterprise privacy policy. However, Docalysis' own privacy policy does not explicitly confirm this practice or address whether documents are retained, processed, or used beyond API calls.
// Security controls
Storage Encryption
Amazon S3 with encryption (specific method not detailed in public docs)
docalysis.comPayment Processing
Stripe (PCI DSS Level 1 certified); credit card data not stored by Docalysis
docalysis.comData Retention
Documents persist indefinitely by default; users can delete anytime; custom retention policies available upon request
docalysis.comVulnerability Disclosure
No security.txt or bug bounty program found on vendor domain
// Products & data scope
data: Uploaded PDFs, CSVs, TXT files; processed via OpenAI API
Interactive questions and answers on documents; data retained indefinitely unless user deletes
data: Multiple files for bulk queries
Batch query processing of documents
data: Embedded chatbot for websites
Chatbot widget for embedding in external sites
data: Programmatic access to document upload, chat, and batch features
RESTful API for integration into custom applications
// What to watch
- SOC 2 certification in progress—not yet completed. Vendor states they can provide engagement letters but has no issued certificate.
- No GDPR-specific compliance statement on privacy policy; third-party vendor disclosures (Google, Facebook, Mixpanel) but no Data Processing Agreement (DPA) mentioned.
- AI training policy ambiguous: relies on OpenAI API's default 30-day data retention, but Docalysis does not explicitly confirm this in their own privacy policy.
- Payment processor (Stripe) is PCI Level 1, but this is not the same as Docalysis holding the certification.
- No security.txt file or vulnerability disclosure program found.
- No bug bounty program identified.
- Founder background (ex-Palo Alto Networks, ex-Google) is a strong positive signal, but company is only 3 years old (founded 2023).
// At a glance
Pricing model
Freemium (free tier + paid plans); specific pricing not detailed in security review
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Docalysis's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
docalysis.com