We’re serious about data security and privacy.

We know you’ll be trusting us with your user research data, including potentially sensitive information about your own customers, users, or research participants.

Our application is built on world-class, modern cloud infrastructure designed to ensure the safety of your data. We have carefully chosen proven third party cloud providers that have a great security track record, and we employ best practices including regular backups, data encryption, sanitized logging, and common attack prevention.

We’re not in the business of selling your data (anonymized or otherwise). You own all of the data you add to Dovetail and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.

Learn more in our legal help center.

Go to legal

Your data is always encrypted.

All data is encrypted while moving between us and your browser with Transport Level Security (TLS). Data is also encrypted at rest in our database and in backups.

We protect your billing information.

Our payments provider Stripe has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider.

We’re GDPR ready.

Dovetail is fully compliant with the EU’s General Data Protection Regulation (GDPR) with a privacy-by-design architecture, clear privacy policies for visitors and users, and features to help people manage and download their personal information.

We use database-level security.

Customers are segregated at the database-level. Workspace access logic is written directly in the database using robust policy-based access controls that minimize risk and make security auditing easier.

We prevent against common attacks.

We employ many strategies to prevent common browser-based attacks like brute force password guessing, cross-site request forgery (CSRF), iframe hacks, and more.

Frequently asked questions

Does your software lifecycle include security?

Yes. Security is integrated into day-to-day development. We maintain high awareness of potential security issues through code reviews, automated and manual testing, library reviews, and ‘dogfooding’ with a staging environment.

How do you segregate customers?

Individual workspace membership is enforced through models and controllers. Access to project data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies.

Is data encrypted?

Data is encrypted while moving between us and the browser with Transport Level Security (TLS). SSL certificates are issued and managed through Amazon Web Services (AWS), and we enable HTTP Strict Transport Security (HSTS). Data is encrypted at rest via AWS RDS AES-256 Encryption.

Can employees access customer data?

No. We cannot see your data during day-to-day operations. All customer data is obfuscated in the database using database roles. During a support case, if it is absolutely necessary to view customer data during, we will seek written permission from the customer first via email.

How do you secure user accounts?

We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout rules. We also employ a large email domain blacklist in an effort to prevent malicious actors and spam.

How are passwords stored in your system?

Our user authentication system uses BCrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the ‘pepper’ is stored independently from the database.

Can we delete all of our data at any time?

Yes. Users can delete projects and project data within Dovetail if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.

How do you ensure high availability?

We employ multiple techniques to ensure high availability including automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, 24/7 on-call rotations, fast continuous deployments, and industry-standard cloud infrastructure.

What data subprocessors do you use?

We use a number of industry-standard cloud vendors to run Dovetail, including Amazon Web Services (AWS), Heroku, and Stripe. Please visit our legal center for a complete list.

Do you track issues in open source software?

Yes. We employ an automated service called Greenkeeper to stay up-to-date with open source dependencies, and GitHub Security Alerts for vulnerability alerts in dependencies.

What security features are on your roadmap?

New security features are a high priority for us. These include Two-Factor Authentication (2FA), Single Sign-On (SSO), multiple administrators, user password policies, an audit log, and more.

Is Dovetail GDPR compliant?

Yes. Dovetail is GDPR ready with a privacy-by-design architecture, clear privacy policies, and features to help users manage their personal information.

Do you have a bug bounty program?

We do not currently have a bug bounty program. We want to grow our team further before committing to operating a bug bounty program, as we believe a poorly operated program can be more damaging. Before setting up a program, we want to do due diligence from regulatory, financial, ethical, and engineering perspectives.

Do you have a point of contact for security?

Yes. Email security@dovetailapp.com.

Made in Australia by 🐨Auzzies and 🥝Kiwis

© Dovetail Research Pty. Ltd.

ABN: 84 615 270 025