Information Security Policy
1. Purpose and Scope
This policy describes the information security practices Docwright Software LLC ("DocWright") follows in developing, distributing, and supporting the DocWright software application. It applies to the DocWright application, its supporting backend services, and the handling of license and configuration data associated with institutional deployments.
2. Security Principle: Minimize What There Is to Protect
DocWright's primary security control is architectural. The application is installed locally and processes documents entirely on the end user's own machine. DocWright does not operate a central server that stores institutional documents, student data, or other sensitive information. Because this data is never transmitted to or held by DocWright, the practical scope of what could be exposed in a security incident affecting DocWright's own systems is limited to license administration data — not institutional or student records.
3. Data Handling and Transmission
- All network communication initiated by the application — license validation and the optional AI image-description feature — is transmitted over HTTPS.
- No document content, file metadata, or student data is transmitted to DocWright's backend at any point.
- The optional AI feature transmits only individual extracted images, directly to Anthropic's API, using an API key supplied and controlled by the institution.
4. Application Security Practices
- No credentials, API keys, or secrets are hard-coded into the application. The license key and any institution-supplied API key are stored locally in a configuration file on the installed machine, encrypted at rest using the operating system's built-in data protection (Windows DPAPI, scoped to the logged-in user account), and are never transmitted except in the limited, encrypted calls described above.
- The application does not store user passwords; there is no end-user account or login system. Access is governed at the institutional level through a license key.
- The application's interface has been evaluated for color contrast and meets WCAG AA contrast requirements. Keyboard-only operability and screen reader compatibility (ARIA labeling, focus order, semantic structure) have since been implemented and developer-tested; this work has not yet been verified by a third-party accessibility audit or assistive-technology user testing.
5. Change and Update Management
DocWright uses a staged update model designed to minimize disruption and risk:
- Compiled launcher (rarely changes): Core process management and the update mechanism itself are compiled into the installed application and only change for major version releases, which are communicated to institutional IT contacts in advance.
- Disk-based components (routine updates): The accessibility-fixing logic and interface are updated automatically. On each launch, the application checks a version endpoint; if a newer version is available, updated files are downloaded and the previous version is automatically backed up before being replaced.
- Fail-safe behavior: If a device is offline or an update download fails, the application proceeds normally using the existing working version. Updates never block usage.
6. Incident and Breach Notification
In the event DocWright identifies a security incident affecting an institution's license, account, or configuration data, DocWright will notify the institution's designated contact directly, using the contact information on file, as soon as reasonably possible after the incident is discovered and assessed. DocWright will work with the institution to provide relevant information needed to evaluate impact and any applicable notification obligations under law.
7. Current Limitations
Docwright Software LLC is, at the time of this policy, a single-founder company. The following formal programs are not yet in place and are identified here for transparency rather than overstated:
- No third-party security audit (e.g., SOC 2) has been conducted to date.
- No dedicated information security staff or office exists; security-related practices and decisions are managed directly by the founder.
- Formal penetration testing and vulnerability scanning have not yet been performed.
DocWright intends to expand these practices as the company and customer base grow.
8. Policy Review
This policy will be reviewed and updated as DocWright's product, infrastructure, or company structure evolves.
9. Contact
Gregory Buthusiem, Founder & Managing Member
Docwright Software LLC
(856) 817-5100