We’re serious about data security and privacy.

Our application is built on a world-class, modern cloud infrastructure designed to ensure the safety of your data. We have chosen proven third party cloud providers like Amazon Web Services, who have a consistently excellent security track record.

Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitize our logs, secure individual customers at the database level, and many other cloud security techniques.

We’re not in the business of selling your data (anonymized or otherwise). You own your data and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.

Scroll down for information about specific security practices, and read our privacy policy, customer terms of service, list of third party data subprocessors, and GDPR commitment in our legal center.

Go to legal

Dovetail is compliant with the EU’s General Data Protection Regulation (GDPR) with a privacy-by-design architecture, clear privacy policies for visitors and users, and features to help people manage and download their personal information.

Read more about our GDPR commitment

Product security

Permissions
Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allows permission levels to be set for specific projects.
Secure passwords
Dovetail enforces a password complexity standard and credentials are stored using BCrypt with unique salts.
SSO via Google
Admins can instruct users to authenticate to Dovetail in one click using their Google account. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.
Permanent deletion
Users can delete projects and project data within Dovetail if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.
High availability
We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, 24/7 on-call rotations, fast continuous deployments, and industry-standard cloud infrastructure.

Network and application security

Hosting and storage
Dovetail services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the United States. All data is encrypted at rest via AWS RDS AES-256 Encryption.
RLS policies
Customer segregation and access to all data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies.
Encryption
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS). We score an ‘A+’ rating on Qualys SSL Labs‘ tests.
Obfuscated data
Customer data is obfuscated in the database using roles. During a support case, if it is absolutely necessary to view customer data, we will seek written permission from the customer first via email.
Vulnerability scanning
Dovetail uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10 and a maximum CVSS score of 0.0.
Brute force prevention
We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout. We also use a large email domain blacklist to prevent malicious actors and spam.
Backups & monitoring
We use AWS RDS’ backup solution for datastores that contain customer data. Data is automatically backed up every 10 minutes, and we keep daily backups for 14 days. On an application level, we store logs for all activity through AWS CloudWatch, and all actions taken on production consoles or in the application are logged. Logs are stored for 30 days.
Incident response
Our engineering team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.

Compliance

PCI DSS
All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.
CAIQ
We have completed the Cloud Security Alliance (CSA) CAIQ security questionnaire, which is available through the CSA’s STAR registry.
OWASP
The most recent penetration test reported no vulnerabilities on the OWASP 2013 Top 10 and OWASP 2017 Top 10.

Other security features

Employee training
All employees complete annual Security and Awareness training.
Confidentiality
All employee and contractor agreements include a confidentiality clause.
Policies
Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors.

Made in Australia by 🐨Aussies and 🥝Kiwis

© Dovetail Research Pty. Ltd.

ABN: 84 615 270 025