Data security and privacy.

Our application is built on a modern cloud infrastructure designed to ensure the safety of your data, and we’ve chosen proven third party cloud providers like AWS, who have a consistently excellent track record.

Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitize our logs, secure individual customers at the database level, and many other cloud security techniques.

We’re not in the business of selling your data (anonymized or otherwise). You own your data and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.

Scroll down for information about specific security practices, and read our privacy policy, customer terms of service, list of third party data subprocessors, and GDPR commitment in our legal center.

Go to legal

Dovetail is compliant with the EU’s General Data Protection Regulation (GDPR) with a privacy-by-design architecture, clear privacy policies for visitors and users, and features to help people manage and download their personal information.

Read more about our GDPR commitment

Security features

Product security

Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allows permission levels to be set for specific projects.
Secure passwords
Dovetail enforces a password complexity standard and credentials are stored using BCrypt with unique salts.
SSO via Google
Admins can instruct users to authenticate to Dovetail in one click using their Google account. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.
Permanent deletion
Users can delete projects and project data within Dovetail if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.
High availability
We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, 24/7 on-call rotations, fast continuous deployments, and industry-standard cloud infrastructure.

Network and application security

Hosting and storage
Dovetail services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the United States. All data is encrypted at rest via AWS RDS AES-256 Encryption.
RLS policies
Customer segregation and access to all data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies.
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS). We score an ‘A+’ rating on Qualys SSL Labs‘ tests.
Obfuscated data
Customer data is obfuscated in the database using roles. During a support case, if it is absolutely necessary to view customer data, we will seek written permission from the customer first via email.
Vulnerability scanning
Dovetail uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10 and a maximum CVSS score of 0.0.
Penetration testing
We perform independent third-party manual penetration testing on an annual basis.
Brute force prevention
We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout. We also use a large email domain deny list to prevent malicious actors and spam.
Backups & monitoring
We use AWS RDS’ backup solution for datastores that contain customer data. Data is automatically backed up every 10 minutes, and we keep daily backups for 14 days. On an application level, we store logs for all activity through AWS CloudWatch, and all actions taken on production consoles or in the application are logged. Logs are stored for 30 days.
Incident response
Our engineering team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.


All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.
We have completed the Cloud Security Alliance (CSA) CAIQ self-assessment questionnaire, which is available through the CSA’s STAR registry.
McAfee Enterprise-Ready™
We have been awarded the McAfee Enterprise-Ready™ seal, having earned the highest CloudTrust™ rating possible based on attributes across the data, user and device, security, business, and legal evaluation categories.
We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.
Google VSAQ
We have completed responses for Google’s open source vendor security assessment questionnaire (VSAQ) tool, contact us for a copy.
The most recent penetration test reported no vulnerabilities on the OWASP 2013 Top 10 and OWASP 2017 Top 10.

Other security features

Employee training
All employees complete annual Security and Awareness training.
All employee and contractor agreements include a confidentiality clause.
Background checks
We perform background and reference checks on new employees to the full extent permitted by local privacy legislation.
Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors.

Security roadmap

A view into the data security and privacy features we have planned.

SOC2 Type II
We’re currently in the audit period for SOC compliance.
Audit log
See an audit trail of all user actions in your workspace.
Data anonymization
Anonymize data as it’s uploaded to your workspace.

Try now for free

Try free for 7 days

Trusted by companies likeSee all →


Data analysisResearch repositoryCollaborative researchVideo and transcriptionCustomersEnterpriseIntegrationsPricing

© Dovetail Research Pty. Ltd.

Made in Australia