Skip to main content
Trust

Security & trust

How StartOCR protects documents, keys, and infrastructure.

  1. Data handling

    Uploads are stored in private R2 buckets and served only through authenticated proxies. Input files are deleted on a short retention window (~24h); results typically expire within ~7 days unless pinned.

  2. Authentication

    Session cookies use Better Auth with email verification. API keys are hashed at rest, scoped (submit/read/export), and rate limited.

  3. Webhook signing

    Outbound webhooks use HMAC-SHA256 with per-endpoint secrets, timestamps, and nonces to prevent replay.

  4. Infrastructure

    The app runs on Cloudflare Workers with D1, R2, and Queues. TLS is terminated at the edge. Secrets are stored via Wrangler secrets.

  5. Report a vulnerability

    Email security@startocr.com. We acknowledge reports within 2 business days.