Trust
Security & trust
How StartOCR protects documents, keys, and infrastructure.
Data handling
Uploads are stored in private R2 buckets and served only through authenticated proxies. Input files are deleted on a short retention window (~24h); results typically expire within ~7 days unless pinned.
Authentication
Session cookies use Better Auth with email verification. API keys are hashed at rest, scoped (submit/read/export), and rate limited.
Webhook signing
Outbound webhooks use HMAC-SHA256 with per-endpoint secrets, timestamps, and nonces to prevent replay.
Infrastructure
The app runs on Cloudflare Workers with D1, R2, and Queues. TLS is terminated at the edge. Secrets are stored via Wrangler secrets.
Report a vulnerability
Email security@startocr.com. We acknowledge reports within 2 business days.