Data Privacy
Security & Data Protections
Docsieve is built from the ground up for strict data isolation and safety. We enforce zero local token storage, encrypt external API credentials at rest, and block malicious crawl routes.
1. Zero Local Token Storage (BFF Architecture)
We avoid storing authentication keys or JWTs inside browser localStorage or sessionStorage, completely eliminating token theft via XSS injection.
- HttpOnly Session Cookies: Session state is stored in an encrypted cookie with the
HttpOnlyattribute, preventing JavaScript access. - Double-Submit CSRF Protection: Mutating requests must attach a non-HttpOnly CSRF token via custom headers, validated dynamically on the API server.
2. BYOK Key Encryption & Masking
When you configure a custom LLM API key (Bring Your Own Key) to bypass platform limits, credentials safety is strictly maintained.
- Fernet Symmetric Cryptography: Keys are encrypted immediately upon submission and stored encrypted at rest using high-entropy Fernet keys.
- UI Masking: The dashboard only shows the last 4 characters of your saved key (e.g.
...last4), preventing visual shoulder-surfing exposure.
3. SSRF Protection & Robots.txt Compliance
Our crawler executes inside a secure network sandbox that monitors and validates crawl routes.
- Private IP Blocklist: Resolved IP addresses for crawl URLs matching local loopbacks (
127.0.0.1), private subnets (RFC 1918), or cloud metadata directories (AWS/GCP/Azure) are blocked automatically. - Robots.txt Adherence: Crawls respect directories specified under target server Disallow lists.
4. Workspace Boundaries & RBAC Scopes
All database tables and space resources are scoped to workspaces.
- Access Controls: Member and workspace invitation tables ensure users can only view briefs in spaces they are explicitly authorized to access.
- Device Revocation: The profile settings panel lists all active sessions and allows users to revoke individual tokens or terminate all other devices instantly.