Corporate security

Dovetail has taken steps to ensure the security of the physical office environment and continuity of business operations in the event of a disaster. Dovetail web application infrastructure, and customer data, is not located or stored within any physical Dovetail office environment.

Environment

Access to Dovetail's office is restricted using physical locks which only Dovetail employees can access. Dovetail's office remains locked throughout the entire day.

Dovetail's office environment also has security safeguards including:

• Security alarms – the office building has motion alarms that alert building management who respond to alarms 24 hours a day, 7 days a week, 365 days a year.

• Security video surveillance – the internal office entry / exit points and network room have continuous video surveillance. The office building has external video surveillance and an agreement is in place with building management to access surveillance footage in the event that it is needed.

• Fire alarms and sprinkler system – fire alarms are installed throughout the office. Sprinkler fire suppression systems and extinguishers are in place.

Visitor access

All visitors must sign-in via Envoy and be escorted and supervised by Dovetail employee at all times.

Dovetail has an asset management policy in place to protect data that is stored and accessible via endpoints, such as company workstations and laptops.

Fleet management

All corporate endpoints are protected against internal threats and local vulnerabilities via Kandji and Vanta. All devices are continuously monitored for the following checks:

• Full-disk encryption

• Screen lock enabled

• Latest security updates

• Malware detection and anti-virus

• Personal firewall enabled

• Encrypted SSH keys

• Password management software

All corporate devices are also enrolled in mobile device management (MDM) enabling Dovetail to remotely manage assets to ensure compliance with configuration standards and enabling remote lock and erase in the event of a lost or stolen device.

Network security

All corporate wireless networks, including both corporate and guest networks, encrypt data in transit using WPA2-AES encryption. Guest network traffic and access is separated from corporate network traffic and access.

Corporate networks are protected with Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) to block malicious traffic and actors attempting to access Dovetail's corporate network.

Removable media and offline backups

Dovetail prohibits use of removable media and offline backups to mitigate both the risk of data loss as well as the risk of malware being introduced.

All new employees receive onboarding and systems training. This training is completed annually by employees and training compliance is monitored.

The main topics covered in security training are:

• Social engineering – primarily phishing and how to detect and report attacks.

• Passwords – background in how passwords are cracked, why strong passwords are important, and storage recommendations for passwords.

• Physical Security – guidelines for maintaining the physical security of offices and equipment.

• Data Handling – understanding data classification and how to properly handle such data.

• Compliance – its importance and how it affects operations.

Dovetail has a comprehensive set of risk management principles, policies and procedures in place to identify new business and technical risks, and put plans in place to mitigate those risks.

Risk principles

Dovetail believes that effective risk management involves:

• A commitment to the security, availability, and confidentiality of Dovetail infrastructure and services from senior management.

• The involvement, cooperation and insight of all Dovetail staff.

• A commitment to initiating risk assessments, starting with discovery and identification of risks.

• A commitment to the thorough analysis of identified risks.

• A commitment to a strategy for treatment of identified risks.

• A commitment to communicate all identified risks to the company.

• A commitment to encourage the reporting of risks and threat vectors from all Dovetail staff.

Dovetail maintains a comprehensive set of organizational security policies that must be agreed to by all employees annually.

All policies are reviewed and approved by management annually. Employees who violate any policies may face disciplinary consequences in proportion to their violation.

You can view and request a copy of our policies in our trust center.

Dovetail relies on vendors to perform a variety of services, some of which are critical for operations. Dovetail aims to manage its relationship with vendors and manage the risk associated with engaging third parties to perform services.

Risk assessments

Dovetail conducts due diligence on an individual vendor's security, business practices, and legal commitments. This assessment includes a review of supply chains for modern slavery. Dovetail's vendor management policy provides a framework for managing the lifecycle of vendor relationships.

Data subprocessors

Dovetail utilizes some vendors as data subprocessors to provide the Dovetail services. Dovetail takes a risk-based approach to selecting data subprocessors based on the security and business practices of these vendors. To minimize our risk and the risk to our customers, we aim to utilize as few data subprocessors as possible to provide the Dovetail services.

Dovetail's data subprocessors are listed at data subprocessors.

All employee and contractor agreements include a confidentiality agreement. All employees agree during and after employment that they will:

• refrain from disclosing confidential information

• not use confidential information for purposes other than their employment

• keep confidential information secure and not disclose or publish information except when authorized or as required by law

On termination of employment, all employees must return all confidential information and must permanently erase all confidential stored on any device.

Dovetail conducts background checks for all new hires via Checked. Checked performs a Nationally Coordinated Criminal History Check that verifies the following information:

• Identity certification

• Disclosable court outcomes

• Pending charges

In addition to background checks, Dovetail also verifies the prior employment history before an offer of employment is made to new hires.