Security
Built secure from the start
Inkstract has undergone three rounds of structured security auditing against industry-standard frameworks. All Critical, High, and Medium findings have been identified and remediated.
All 15 categories assessed.
All Critical, High, and Medium findings remediated.
Audit date 14 March 2026
Rounds 3 structured assessments
Outcome 0 Critical · 0 High · 0 Medium remaining
Frameworks assessed
OWASP Top 10 (2021)
OWASP ASVS Level 2
OWASP API Top 10 (2023)
Supply Chain Analysis
Assessment results
| Category | Status |
|---|---|
| Broken Access Control | Pass |
| Cryptographic Failures | Pass |
| Injection | Pass |
| Insecure Design | Pass |
| Security Misconfiguration | Pass |
| Vulnerable Components | Pass |
| Authentication Failures | Pass |
| Data Integrity Failures | Pass |
| Logging & Monitoring | Pass |
| SSRF | Pass |
| ASVS Level 2 | Pass |
| API Security Top 10 | Pass |
| Supply Chain | Pass |
| Data Protection | Pass |
| Infrastructure | Pass |
Security controls
Per-User Encryption
Content encrypted at rest with unique AES-256 keys per user via HKDF derivation.
Source File Deletion
Original documents deleted immediately after processing by default.
AI Processing Privacy
Only page images and abbreviations sent to the AI — no account info, names, or email addresses.
Transport Security
HTTPS enforced with HSTS (one-year preload). Cookies: Secure, HttpOnly, SameSite=Strict.
Full Security Headers
CSP, Permissions-Policy, COOP, Referrer-Policy, X-Frame-Options, X-Content-Type-Options.
Two-Factor Authentication
TOTP-based 2FA available for all accounts via authenticator apps.
Immutable Audit Logging
All user-facing actions recorded in an append-only audit trail. No human reviews your documents.
Fail-Closed Defaults
Security controls fail safe — misconfiguration blocks access rather than granting it.
EU Data Residency
All data processed and stored exclusively in the EU.
If you discover a security vulnerability, please contact security@inkstract.com.
Full audit reports available for enterprise customers, subject to NDA. Last updated March 2026.