Go to app
Log inGet Dovetail free


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerSecurityArticle

Data security and privacy

Last updated15 May 2024
Read time6 min


Data encryption

Dovetail utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Dovetail also have a documented cryptography policy that outlines the requirements for encrypting data and transmissions.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.

Key management

Amazon Web Services (AWS) stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

Data retention

Deleting data

Users can delete projects and project data within Dovetail if they have the correct access rights. Deleted project data is kept in a "trash" facility within the application and can be restored for up to 30 days before it is permanently deleted. It can take up to 60 days for all data to be removed from backups.

Deleting workspaces

Users can delete their entire Dovetail workspace if they have the correct access rights. This will delete all data that you have provided to Dovetail. It can take up to 60 days for all data to be removed from backups.

Subscription cancelation

Following the cancellation of a Dovetail subscription, you will have at least 30 days to download your customer data from Dovetail. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Free subscriptions

For Free Plans, Customer Data will be retained on the Services until Customer cancels their Service Plan (in accordance with Section 8.3 of our Master Subscription Agreement.) Dovetail reserves the right to, upon prior written notice to Customer, delete accounts for Free Plans (and all Customer Data contained therein) that have been inactive for more than 60 days.


To support delivery of our Services, Dovetail may engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor.

Visit our trust center

Please visit our trust center to see our current list of subprocessors, and sign up to receive updates about any future changes.

Trust center

Data breach disclosure

Data breaches are an unfortunate reality that affect several organizations every year.

As a result, Dovetail is committed to taking all commercially reasonable measures to secure your customer data. This is why we are overwhelmingly transparent and about our security practices to give you the confidence in our infrastructure, processes, tooling, and policies to safeguard your data.

Dovetail has not had an identified data breach since commencing operations. In the unlikely event of a data breach, Dovetail is prepared to take steps to limit the effects of any data breach and to assist any customers potentially affected by a data breach with meeting their obligations under law.

Data breach definition

Dovetail defines a data breach as any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of access to customer data.


Dovetail will notify customers without undue delay after becoming aware of a data breach. Customers will be contacted by email and phone (when provided), and followed by multiple periodic updates throughout each day addressing progress and impact.

Australian Privacy Act

As an Australian-based business, Dovetail is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Dovetail must notify individuals about an eligible data breach when:

  • there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that Dovetail holds

  • this is likely to result in serious harm to one or more individuals, and

  • Dovetail hasn't been able to prevent the likely risk of serious harm with remedial action

Logical separation

Dovetail utilizes a multi-tenant architecture where all customers share the same computing resources. Logical separation of data between customers and correct access is enforced through PostgreSQL Row Level Security (RLS). Transaction-scoped configuration variables are leveraged in RLS policies to ensure the correct access permissions.

Software development life cycle

Dovetail maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.

Development environments

All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. Dovetail performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Version control

Dovetail employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Dovetail code base and insulates Dovetail from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code review

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved by two developers before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.

Developers are trained in evaluating code for security defects as part of code review, and automatic testing is employed to test against common security defects.

Security bugs

Security bugs represent key issues and should be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the Dovetail service. Dovetail has SLAs in place to enforce compliance with resolving security bugs within reasonable timelines.

Give us feedback

Was this article useful?


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us
© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started for free


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy