handwritingOCR
Try free
Open menu
Pricing API About Contact Privacy Log in
Help

Security

Encryption, HIPAA, regional data residency, and how Handwriting OCR keeps sensitive documents safe.

Last updated

Are you SOC 2 or ISO 27001 certified?

We don't currently hold SOC 2 or ISO 27001 certification. We've prioritised investing in the underlying security controls — encryption, access management, no-training guarantees, configurable retention — over the certification process itself.

What we do offer

  • Encryption in transit and at rest — bank-grade TLS for all uploads and downloads; encryption at rest in our datacenters.
  • No model training on customer data — your files are never used to improve our models.
  • Configurable retention — auto-delete defaults to 7 days, configurable from 15 minutes to 14 days, or delete manually at any time.
  • Access controls — staff cannot view your files without your explicit prior authorisation.
  • EU data residency — European customers can opt for EU-only processing.
  • GDPR Data Processing Agreement (DPA) — available on the Business plan.
  • Webhook signing (HMAC-SHA256) — verify webhook calls are authentic.

For procurement reviews

Business customers can request our security documentation — a written summary of our controls, sub-processors, retention defaults, and incident-response approach. This is typically enough to satisfy procurement and security teams that need a record on file. Contact us to request it.

Can you handle sensitive, confidential, or classified documents?

Handwriting OCR is used by customers in healthcare, legal, government, and other regulated industries for confidential and sensitive documents. Standard security measures apply to every account:

  • Encryption in transit and at rest — bank-grade encryption protects files end-to-end.
  • No model training on your data — your documents are never used to improve our AI models.
  • Configurable retention — auto-delete defaults to 7 days, configurable down to 15 minutes, or delete manually at any time via dashboard or API.
  • No third-party sharing — files are processed only to deliver the service.

For projects with elevated requirements we can also offer:

  • EU-only data residency for European customers
  • GDPR Data Processing Agreement (DPA) on the Business plan
  • Mutual NDAs for projects that need them

If your project involves classified or exceptionally sensitive material, contact us so we can discuss the right setup.

Can you provide security documentation for our procurement review?

Yes. For Business customers, we can share a security documentation packet suitable for procurement and security reviews.

What's included

  • Controls summary — encryption (in transit and at rest), access management, no-training guarantee, configurable retention.
  • Data flow — where uploads go, how processing works, where results are stored, when deletion happens.
  • Sub-processors — the cloud infrastructure providers we use, and their relevant compliance posture.
  • Data residency — default and EU-only options.
  • Incident response — how we monitor, detect, and respond to security incidents.
  • GDPR posture — our role as data processor, plus a Data Processing Agreement (DPA) we can sign as part of your contract.

Standard security questionnaires

We can complete the most common procurement security questionnaires (CAIQ, SIG-Lite, custom enterprise questionnaires) for Business customers. Turnaround depends on the complexity of the form — most take a few business days.

Certifications

We don't currently hold SOC 2 or ISO 27001 certifications — see Are you SOC 2 or ISO 27001 certified? for the full picture.

Get in touch and tell us what your procurement team needs — we'll send the right documentation.

Can you sign an NDA?

Yes. We routinely sign NDAs for enterprise, research, and high-sensitivity projects. If your organization requires one, simply contact us and we’ll provide an NDA or review yours.

Do you comply with regional data-protection regulations besides GDPR?

Our security and privacy framework — encryption in transit and at rest, configurable auto-deletion, EU-only data residency, no model training on customer data, and access controls — aligns with the technical and organisational measures required by most major international data-protection standards.

For Business customers with specific obligations (e.g. UK Data Protection, regional sovereignty rules, sector-specific requirements), contact us and we can review your needs against what we currently offer.

Do you log or analyze the contents of my documents?

No. We do not inspect, analyze, or use your document contents for analytics, training, or product improvement. Logs contain only operational metadata such as timestamps and job statuses, never the text or images from your documents.

Do you store my documents after processing?

Documents are stored only for the duration of your selected retention window. The default is 7 days, but you can shorten it or delete documents manually at any time. Once a document is deleted—either automatically or manually—it is permanently removed from our systems.

How is my data secured during upload and processing?

Every step of the pipeline is designed to keep your documents secure.

In transit

  • All uploads and downloads happen over HTTPS/TLS — files are encrypted between your device or app and our servers, including for API calls.
  • Webhook deliveries are signed with HMAC-SHA256 so your system can verify the call really came from Handwriting OCR.

At rest

  • Stored files are encrypted at rest with industry-standard encryption.
  • Documents auto-delete after your configured retention window (default 7 days, configurable from 15 minutes to 14 days).

Access control

  • Only you (and team members on a Business account) can access documents in your account.
  • Our staff can view your files only with explicit prior authorisation — typically when you've asked us to investigate a specific issue. We don't browse customer data.

Compliance

Business customers can sign a GDPR Data Processing Agreement (DPA). We do not currently hold SOC 2 or ISO 27001 certification.

Where is my data stored?

Your documents are stored in secure datacenters with encryption at rest. We use established cloud infrastructure providers — every region we use meets industry standards for physical, network, and access security.

Default region

By default, data is stored in our primary region (US datacenters). This delivers the lowest latency for the largest share of customers and supports the full feature set.

EU-only storage

European customers can opt for EU-only data residency — every upload, processing step, and stored result stays inside EU datacenters. This is particularly relevant for GDPR-sensitive workloads. Enable EU-only data residency by contacting support.

Region-specific infrastructure (Business)

Business customers with regulatory or contractual data-residency requirements can request specific regions or dedicated infrastructure as part of their plan. Contact us to discuss.

Retention

Whatever the region, your data is automatically deleted after your configured retention window (default 7 days, configurable down to 15 minutes), or immediately when you delete it manually.