// Trust & Security Report

    Docalysis logo

    Docalysis

    AI-powered document chat platform for PDFs, CSVs, and text files. Products: Chat (interactive Q&A), Batch (bulk processing), Embed (integrable chatbot), API (developer access).

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    "Currently engaged in attaining SOC 2 compliance" and can furnish engagement letters from compliance provider.

    source: docalysis.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of completed Type 2 audit.

    source: docalysis.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on vendor domain.

    source: docalysis.com
    GDPR
    NOT CONFIRMED

    Privacy policy mentions third-party vendors (Google, Facebook, Amazon, Mixpanel) but does not explicitly address GDPR compliance or DPA availability.

    source: docalysis.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance on vendor domain.

    source: docalysis.com
    PCI DSS
    NOT CONFIRMED

    Payment processing handled by Stripe (certified PCI Level 1), not by Docalysis directly. Docalysis does not store credit card data.

    source: docalysis.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    US (AWS S3 default regions unstated)

    Docalysis uses OpenAI's ChatGPT API. OpenAI's API does not train on inputs/outputs by default after 30 days per OpenAI's enterprise privacy policy. However, Docalysis' own privacy policy does not explicitly confirm this practice or address whether documents are retained, processed, or used beyond API calls.

    // Security controls

    Storage Encryption

    Amazon S3 with encryption (specific method not detailed in public docs)

    docalysis.com

    Payment Processing

    Stripe (PCI DSS Level 1 certified); credit card data not stored by Docalysis

    docalysis.com

    Data Retention

    Documents persist indefinitely by default; users can delete anytime; custom retention policies available upon request

    docalysis.com

    Data Access

    Documents private by default; users can choose to make them public

    docalysis.com

    Vulnerability Disclosure

    No security.txt or bug bounty program found on vendor domain

    // Products & data scope

    ChatInteractive document Q&A

    data: Uploaded PDFs, CSVs, TXT files; processed via OpenAI API

    Interactive questions and answers on documents; data retained indefinitely unless user deletes

    BatchBulk document processing

    data: Multiple files for bulk queries

    Batch query processing of documents

    EmbedIntegrable chatbot

    data: Embedded chatbot for websites

    Chatbot widget for embedding in external sites

    APIDeveloper API

    data: Programmatic access to document upload, chat, and batch features

    RESTful API for integration into custom applications

    // What to watch

    • SOC 2 certification in progress—not yet completed. Vendor states they can provide engagement letters but has no issued certificate.
    • No GDPR-specific compliance statement on privacy policy; third-party vendor disclosures (Google, Facebook, Mixpanel) but no Data Processing Agreement (DPA) mentioned.
    • AI training policy ambiguous: relies on OpenAI API's default 30-day data retention, but Docalysis does not explicitly confirm this in their own privacy policy.
    • Payment processor (Stripe) is PCI Level 1, but this is not the same as Docalysis holding the certification.
    • No security.txt file or vulnerability disclosure program found.
    • No bug bounty program identified.
    • Founder background (ex-Palo Alto Networks, ex-Google) is a strong positive signal, but company is only 3 years old (founded 2023).

    // At a glance

    Pricing model

    Freemium (free tier + paid plans); specific pricing not detailed in security review

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Docalysis's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    docalysis.com

    > Browse all vendor trust reports