Tenant, object & role scoping
Reads and writes are tenant-scoped and object-scoped, with object-level authorization tests. Roles gate what a user can even see — a reviewer literally cannot reach a finalize or admin-confirm action.
Lending files carry non-public personal information. Docutise is designed around that from the first line: local-first processing, no cloud path to leak to, and an audit trail behind every action.
There are no cloud model calls and no alternate cloud inference path. Analysis runs on your hardware — egress isn't disabled, it's absent by design.
GPU and model workers are intended to run without normal internet egress while a document is being processed.
Raw document content should not appear in application logs by default. Access logs carry metadata, not the document.
The security goal is practical and strict: prevent cross-tenant access, keep borrower content out of logs, avoid document egress, preserve an audit trail, and make every final decision explainable after the fact.
Reads and writes are tenant-scoped and object-scoped, with object-level authorization tests. Roles gate what a user can even see — a reviewer literally cannot reach a finalize or admin-confirm action.
OCR text, barcode values, finding-evidence text and export payloads are redacted by scope, with separate scopes for raw document and artifact bytes. Sensitive fields aren't handed out casually.
Document originals, page artifacts and export artifacts are reached through HMAC-signed links with expiry enforcement — and every resolution is audit-logged.
Final document acceptance, rejection, override and profile publishing require an admin — and each is recorded as an immutable, metadata-only audit event.
Raw downloads, page views, artifact downloads, signed-link resolutions and export reads are captured as metadata-only events — the record you need when someone asks "who saw this, and when?"
Request IDs propagate through X-Request-ID; API rate limits return 429 with Retry-After and X-RateLimit-* headers, with distributed enforcement for multi-process deployments.
Uploads are validated before they're stored — the first line against malformed, oversized or hostile files.
Local detector and semantic lanes are intentionally gated. Their evidence does not support a pass decision until the required local runtime, labeled fixtures, threshold certification, no-egress checks and evaluation gates are complete.
Conservative by default. Until those gates are met, the correct behavior is strict: findings stay visible, unresolved blockers prevent an automatic pass, and an admin makes the final call. Model and runtime records carry version, source, license metadata, checksum or digest, and evaluation status.
Talk to us about a local pilot and a security review with your team.