Security & Trust

Designed to survive security review.

PolDex handles commercial insurance documents. Precision and safety are not optional.

View DPA →Talk to Security
Trust Principles

Eight explicit commitments.

No customer dashboard

PolDex provides no login portal. The API is the control surface. Reduced attack surface by design.

No training use by default

Customer content is not used to train or fine-tune any model. Inference provider usage is governed by their data handling terms.

No raw content in standard logs

Extracted document content does not appear in application logs. Only job metadata, status transitions, and delivery events are logged.

Evidence-backed output

Every extracted fact carries an evidence pointer. Outputs are not generated without grounding in the source content.

Automatic retention controls

Uploaded content is retained for a defined maximum period and then deleted automatically. Explicit deletion is also available.

API-first control surface

Key rotation, credit visibility, job status, and DLQ access are all available without contacting the team.

Signed webhook delivery

All webhook payloads are signed with HMAC-SHA256. You can verify delivery authenticity without trusting transport alone.

Tenant isolation

Jobs, keys, and credit ledgers are scoped to the issuing API key. Cross-tenant data access is not possible by design.

Data Handling

What happens to your documents.

Submission

Document URL or S3 reference submitted via API. PolDex does not receive the raw file at submission time unless uploaded directly.

Retrieval

Workers stream the document from the provided source. Content is written to temporary worker disk only. Network access uses TLS.

Extraction

Segmented content is passed to the extraction layer. Content is not logged. Only structured output is retained in the PolDex datastore.

Retention

Job metadata and structured output retained for 90 days by default. Raw document content and worker disk are deleted after extraction.

Deletion

Deletion requests via POST /v1/jobs/{id}/delete initiate removal of structured output from the PolDex datastore. Metadata may persist for audit purposes.

Access Model

API keys, not accounts.

PolDex uses API keys as the authentication primitive. There is no account portal, no username/password combination, and no OAuth flow.

Keys are shown exactly once at issuance. PolDex stores only a hashed version. Recovery is not possible — rotation creates a new key.

Key rotation is self-serve via POST /v1/keys/rotate. Compromised keys should be rotated immediately without contacting support.

Webhook Trust

Verify every delivery.

Every webhook delivery includes an X-PolDex-Signature header in the format t=<timestamp>,v1=<hex>. Verify by recomputing HMAC-SHA256 over <timestamp>.<raw body>.

Signature verification (Node.js)
import crypto from 'crypto'

const sig = req.headers['x-poldex-signature'] // t=...,v1=...
const body = req.rawBody // unparsed bytes

// Parse header
const parts = Object.fromEntries(sig.split(',').map(p => p.split('=')))
const timestamp = parts['t']
const v1 = parts['v1']

// Recompute: HMAC-SHA256 over "<timestamp>.<raw body>"
const expected = crypto
  .createHmac('sha256', process.env.WEBHOOK_SECRET)
  .update(timestamp + '.')
  .update(body)
  .digest('hex')

if (!crypto.timingSafeEqual(
  Buffer.from(v1),
  Buffer.from(expected)
)) {
  return res.status(401).end()
}
Infrastructure Governance

Single-cloud. Single security model.

Single cloud provider

All processing, storage, and compute runs on one cloud provider. One security model, one compliance story, one operational surface.

Encryption everywhere

Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption key management follows least-privilege access principles.

Storage isolation

Document storage uses server-side encryption. No public access. Access controlled by least-privilege IAM policies.

Compute isolation

Extraction runs in isolated, short-lived compute environments. No persistent state between jobs. No cross-tenant access.

Queue durability

Job queues are encrypted in transit and at rest. Dead-letter queue captures unprocessed jobs for recovery.

No training by default

Customer content is not used to train or fine-tune models. Governed by the data handling terms of the inference provider.

Enterprise Readiness

Procurement-grade documentation.

Data Processing Agreement (DPA) available on request
SOC 2 Type II documentation available under NDA
Subprocessor list available
Security questionnaire responses available for enterprise buyers
Custom data retention terms negotiable
Right-to-audit clause available in enterprise agreements

Security questions?

We respond to security review requests. DPA and audit documentation available for enterprise buyers.

View DPA →Enterprise Overview