Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitize our logs, secure individual customers at the database level, and many other cloud security techniques.
We’re not in the business of selling your data (anonymized or otherwise). You own your data and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.
Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allows permission levels to be set for specific projects.
Dovetail enforces a password complexity standard and credentials are stored using BCrypt with unique salts.
Admins can instruct users to authenticate to Dovetail in one click using their Google account. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.
Users can delete projects and project data within Dovetail if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.
We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, 24/7 on-call rotations, fast continuous deployments, and industry-standard cloud infrastructure.
Network and application security
Dovetail services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the United States. All data is encrypted at rest via AWS RDS AES-256 Encryption.
Customer segregation and access to all data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies.
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS). We score an ‘A+’ rating on Qualys SSL Labs‘ tests.
Customer data is obfuscated in the database using roles. During a support case, if it is absolutely necessary to view customer data, we will seek written permission from the customer first via email.
Dovetail uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10 and a maximum CVSS score of 0.0.
We perform independent third-party manual penetration testing on an annual basis.
We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout. We also use a large email domain blacklist to prevent malicious actors and spam.
We use AWS RDS’ backup solution for datastores that contain customer data. Data is automatically backed up every 10 minutes, and we keep daily backups for 14 days. On an application level, we store logs for all activity through AWS CloudWatch, and all actions taken on production consoles or in the application are logged. Logs are stored for 30 days.
Our engineering team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.
All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.
We have completed the Cloud Security Alliance (CSA) CAIQ self-assessment questionnaire, which is available through the CSA’s STAR registry.
We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.
We have completed the Shared Assessments Standard Information Gathering (SIG) self-assessment questionnaire, contact us for a copy.
We have completed responses for Google’s open source vendor security assessment questionnaire (VSAQ) tool, contact us for a copy.
The most recent penetration test reported no vulnerabilities on the OWASP 2013 Top 10 and OWASP 2017 Top 10.
Other security features
All employees complete annual Security and Awareness training.
All employee and contractor agreements include a confidentiality clause.
We perform background and reference checks on new employees to the full extent permitted by local privacy legislation.
Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors.