Security

Summary

Doksi employs defense-in-depth security across our entire infrastructure. We operate within Amazon Web Services (AWS) using VPC isolation, end-to-end encryption, and comprehensive access controls. Every test runs in a secure, ephemeral environment that's destroyed after completion.

What We Collect

Data TypeHow It's StoredRetentionUsage
APK / App filesEncrypted in S3 (AES-256)Until you delete itAsynchronous and synchronous test runs
Test credentialsEncrypted in MongoDB AtlasNever stored in plaintextAsynchronous test runs
Screenshots & videoEncrypted in S3 with customer-scoped prefixesUntil you delete the test runDisplaying insights and issues to you
Network logsEncrypted, isolated per sessionUntil you delete the test runDisplaying insights and issues to you
Session dataEphemeral compute instancesDestroyed immediately after testNone

What We Don't Do

  • We don't access your production systems — We only interact with what you provide (test accounts, staging environments)
  • We don't train AI on your data — Your app data is never used for model training
  • We don't share data with third parties — Your data stays in your account
  • We don't store credentials in plaintext — All credentials encrypted at rest
  • We don't transfer data internationally — All data stays in AWS US-East-2 (Ohio)

Infrastructure Security

Cloud Infrastructure

  • AWS US-East-2 (Ohio) — All operations in SOC 2 Type II certified data centers
  • Virtual Private Cloud (VPC) — Complete network isolation with private subnets
  • Internal traffic routing — All Doksi components communicate via private network, never traversing public internet
  • Zone colocation — AI models and processing in same availability zone for security and performance

Compute Security

  • Ephemeral sessions — Each test uses isolated, stateless instances
  • Session isolation — Complete separation between customer sessions with automatic cleanup
  • Infrastructure as Code — Immutable deployments using AWS best practices

Data Protection

Encryption

  • At rest: AES-256 encryption using Doksi-managed keys
  • In transit: TLS 1.3 for all external communications
  • Key management: Secure rotation and management protocols

Storage

  • Primary data: MongoDB Atlas in AWS US-East-2 with AES-256 encryption
  • Assets: Amazon S3 with server-side encryption (SSE-S3)
  • Geographic residency: All data remains in US-East-2. No cross-region replication.

Data Lifecycle

  • Active content: Retained until you delete it or close your account
  • Session data: Destroyed immediately after test completion
  • Deleted content: Soft-deleted for 30 days (recoverable), then permanently purged
  • Account termination: All data permanently deleted within 30 days

Access Controls

Database Security

  • Access Control Lists (ACLs) — Granular permissions at database level
  • Principle of least privilege — Role-based access with minimal required permissions
  • Query auditing — Comprehensive logging of all database interactions
  • Customer data isolation — Logical separation via customer-scoped prefixes

Monitoring & Logging

  • Comprehensive access logs — All infrastructure interactions logged
  • Real-time alerting — Automated detection of anomalous access patterns
  • Audit trail — Complete trail for compliance and security investigations
  • Log encryption — All logs encrypted in tamper-evident storage
  • 90-day retention — Audit logs retained for compliance

Application Security

  • Private APIs — Internal APIs not exposed to public internet
  • Backend for Frontend (BFF) — Secure abstraction layer
  • No exposed keys — No API endpoints or auth keys in frontend
  • Token-based auth — Secure token management with automatic expiration
  • Input validation — Comprehensive sanitization of all inputs
  • CORS policies — Strict Cross-Origin Resource Sharing controls

Compliance & Standards

  • AWS Well-Architected Framework — Infrastructure follows AWS security pillars
  • OWASP Guidelines — Application security aligned with OWASP best practices
  • SOC 2 Type II hosting — Infrastructure in certified facilities

Security Governance

  • Regular security reviews — Periodic infrastructure and application assessments
  • Vulnerability management — Automated scanning and patching
  • Incident response — Documented procedures for security incidents
  • Continuous improvement — Regular updates based on emerging threats

Your Controls

You can:

  • Delete any test run — Screenshots, video, logs removed immediately
  • Delete your APK — Removed from storage on request
  • Export your data — Available on request
  • Close your account — All data permanently deleted within 30 days

Questions?

For security inquiries or to request our full Security Overview document, contact us at security@doksi.ai

Last updated: December 2025

Related resources