Security & Trust

Security & Trust

Designed to survive security review.

PolDex handles insurance documents. Precision and safety are not optional.

View DPA ->Talk to Security
Trust Principles

Eight explicit commitments.

01

No customer dashboard

PolDex provides no customer workspace or account portal. The API key controls API, processor, intake, and credit access; the Processor is a narrow review cockpit, not a workflow system.

02

No training use by default

Customer content is not used to train or fine-tune any model. Inference provider usage is governed by their data handling terms.

03

No raw content in standard logs

Extracted document content does not appear in application logs. Only job metadata, status transitions, and delivery events are logged.

04

Evidence-backed output

Extracted facts carry evidence pointers when evidence exists. Unknown and unsupported facts do not inherit copied citations.

05

Automatic retention controls

Raw document content is treated as temporary processing material, processor source text is cleared after successful extraction, and explicit deletion is also available.

06

API-first control surface

Key rotation, credit visibility, and job status are self-serve; DLQ operations run through the internal admin control plane.

07

Signed webhook delivery

All webhook payloads are signed with HMAC-SHA256. You can verify delivery authenticity without trusting transport alone.

08

Tenant isolation

Jobs, keys, and credit ledgers are scoped to the issuing API key. Cross-tenant data access is not possible by design.

Data Handling

What happens to your documents.

01

Submission

HTTPS document URL, direct upload, pasted text, or processor batch input submitted through the production API. PolDex does not require a customer account dashboard.

02

Retrieval

Workers stream the document from the provided source. Content is written to temporary worker disk only. Network access uses TLS.

03

Extraction

Segmented content is passed to the extraction layer. Content is not logged. The customer-facing result is scoped to the requested schema before JSON, CSV, XLSX, webhooks, and processor review are packaged.

04

Retention

Job metadata and structured output are retained for 90 days by default. Raw document content, worker disk, and processor temporary source_text are cleared after successful extraction.

05

Deletion

Deletion requests via POST /v1/jobs/{id}/delete initiate removal of structured output from the PolDex datastore. Metadata may persist for audit purposes.

Access Model

API keys, not accounts.

API key authentication.

PolDex uses API keys as the authentication primitive. There is no account portal, no username/password combination, and no OAuth flow.

Shown once, stored hashed.

Keys are shown exactly once at issuance. PolDex stores only a hashed version. Recovery is not possible - rotation creates a new key.

Self-serve rotation.

Key rotation is self-serve via POST /v1/keys/rotate. Compromised keys should be rotated immediately without contacting support.

Webhook Trust

Verify every delivery.

Every webhook delivery includes an X-PolDex-Signature header in the format t=<timestamp>,v1=<hex>. Verify by recomputing HMAC-SHA256 over <timestamp>.<raw body>.

import crypto from 'crypto'

const sig = req.headers['x-poldex-signature'] // t=...,v1=...
const body = req.rawBody // unparsed bytes

const parts = Object.fromEntries(sig.split(',').map(p => p.split('=')))
const timestamp = parts['t']
const v1 = parts['v1']

const expected = crypto
  .createHmac('sha256', process.env.WEBHOOK_SECRET)
  .update(timestamp + '.')
  .update(body)
  .digest('hex')

if (!crypto.timingSafeEqual(Buffer.from(v1), Buffer.from(expected))) {
  return res.status(401).end()
}
Infrastructure Governance

Single-cloud. Single security model.

Single production runtime

Production processing, storage, queueing, and Pages hosting run on Cloudflare. Legacy AWS/FastAPI artifacts are non-production.

Encryption everywhere

Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption key management follows least-privilege access principles.

Storage isolation

Production state lives in managed Cloudflare storage with platform encryption and no public database access. Future AWS/S3 adapters stay inactive until configured and reviewed.

Compute isolation

Extraction runs in isolated, short-lived compute environments. No persistent state between jobs. No cross-tenant access.

Queue durability

Job queues are encrypted in transit and at rest. Dead-letter queue captures unprocessed jobs for recovery.

No training by default

Customer content is not used to train or fine-tune models. Governed by the data handling terms of the inference provider.

Enterprise Readiness

Procurement-grade documentation.

01

Data Processing Agreement (DPA) available on request

02

SOC 2 preparation package in progress; audit-complete claims are not made yet

03

Subprocessor list available

04

Security questionnaire responses available for enterprise buyers

05

Custom data retention terms negotiable

06

Right-to-audit clause available in enterprise agreements

Security questions?

We respond to security review requests. DPA, retention, access-control, and SOC 2 preparation materials are available for enterprise buyers.

View DPA ->Enterprise Overview