BorrowerDocs

Security

BorrowerDocs handles sensitive financial documents. Here is how we protect your data and your borrowers' data.

Encryption in transit

All data between your browser and BorrowerDocs is encrypted using TLS 1.2+. Magic links and portal sessions use HTTPS exclusively.

Encryption at rest

Documents are stored in Cloudflare R2 with server-side encryption. Files are never stored unencrypted on disk.

Access controls

Brokers can only access their own organization's data. Borrowers access only their specific loan file via a time-limited magic link, with no account or password required.

Expiring magic links

Borrower portal links expire after 7 days. Brokers can revoke access and re-send a new link at any time from the loan file dashboard.

Email security

Transactional emails are sent via Postmark, a dedicated provider with SPF, DKIM, and DMARC configured to prevent spoofing.

Responsible disclosure

If you discover a security vulnerability, please report it to [email protected]. We will respond within 72 hours.

Data residency

Document files are stored in Cloudflare R2, distributed across Cloudflare's global infrastructure. Database servers are hosted in the United States.

Data retention

Uploaded documents and messages are permanently deleted on two paths: deleting a file removes documents within minutes; closing a file removes documents after a plan-based delay: 30 days (Free), 90 days (Starter), or 180 days (Pro). In both cases, the loan file record and audit log are preserved indefinitely. To request deletion of your account and all associated data, contact [email protected]. See our Privacy Policy for full details.

Subprocessors

We use a small number of trusted third-party providers to deliver the service: Cloudflare R2 (storage), Postmark (email), Stripe (billing), and our hosting infrastructure provider. All handle data under their own security programs and data processing agreements.

Report a vulnerability

Security researchers who discover potential issues are encouraged to contact us at [email protected] before public disclosure. We take all reports seriously and will respond within 72 hours.