Join thousands of product people at Insight Out Conf on April 11. Register free.

Learn
Help docs
Get in touch

Go to app
Log inTry for free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerSecurityArticle

Infrastructure and application security

Last updated29 September 2023
Read time8 min

Table of contents


Application infrastructure

Dovetail utilizes industry-standard cloud infrastructure vendors to provide the Dovetail service. Dovetail's infrastructure is primarily managed through Amazon Web Services, and is complemented by additional secondary infrastructure vendors to provide specific features within the Dovetail web application, like natural language processing and transcription.

Primary infrastructure

Principally, the Dovetail web application leverages Amazon Web Services for infrastructure hosting.

The Dovetail web application is hosted in the Amazon Web Services us-east-1 region located in North Virginia, United States.

Amazon Web Services has been granted formal certification, attestation, and audit reports for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and more – the full list of compliance resources is available on the Amazon Web Services Security page.

Feature-specific infrastructure

Dovetail also makes use of secondary cloud infrastructure providers to process data for specific features of the web application. The use of these features is optional within the web application.

Data is sent to these providers temporarily and stored for a brief period of time in order to perform the functionality of the feature, and is subsequently permanently deleted after the functionality has been performed. No data is permanently stored or hosted within these infrastructure providers.

Automated audio transcription

Dovetail utilizes Rev.ai for automated audio transcription. Upon use of the Dovetail web application’s automated transcription feature, the audio file to be transcribed is sent to Rev.ai. All communication with Rev.ai is encrypted in transit using HTTPS and Transport Layer Security 1.2. Audio files temporarily stored with Rev.ai are encrypted at rest.

Audio files sent to Rev.ai for transcription are deleted immediately through explicit request after the finalized transcript is received by the Dovetail web application. In addition this, an automated deletion policy has been configured to automatically delete all completed transcription jobs sent to Rev.ai every 24 hours.

All Rev.ai data is hosted and processed using Amazon Web Services facilities in the United States – this is the same environment that described above as the primary infrastructure provider.


Access controls

All Dovetail employees have limited access to Dovetail infrastructure and systems and access is always provisioned on a minimum-necessary, least-privilege, basis.

Access is only granted on a need-to-use basis, based on the responsibilities and duties of the employee.

Obfuscated data

Dovetail employs database roles to obscure all customer data to prevent access during day to day operations. During a support case, if it is absolutely necessary to view customer data to troubleshoot the issue, we will seek written permission from the customer first via email. Access to unobfuscated data must be approved by a manager and is only granted temporarily on a need-to-use-basis.

Authentication

Every Dovetail employee has unique authentication details that identify them when accessing infrastructure systems, assets, and applications. Multi-factor authentication is enforced and passwords must be rotated every 90 days.

Physical controls

Dovetail utilizes Amazon Web Services as the principal web application infrastructure. Amazon Web Services data centers feature a layered security model, including extension safeguards such as:

  • custom-designed electronic access cards

  • motion alarms and sensors

  • video surveillance

  • perimeter fencing

  • metal detectors

  • biometrics

Dovetail employees do not have physical access to Amazon Web Services data centers, servers, network equipment, or storage.


Vulnerability management

Dovetail has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.

Scanning and detection

Dovetail utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.

Detectify

Dovetail employs automated and integrated security scans of the web application through Detectify. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.

Security advisories

Dovetail subscribes to GitHub's security alerts program. If GitHub detects a vulnerability from the GitHub Advisory Database or WhiteSource in one of the web application's dependencies, the engineering team is notified.

Kandji

Dovetail utilizes Kandji for fleet management and endpoint security. Kandji automatically configures employee hardware in accordance with our asset management policy.

Image scanning

Dovetail utilizes Amazon ECR image scanning to identify vulnerabilities in container images. Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) from the open-source Clair project to scan and alert on known container vulnerabilities.

Vanta

Dovetail utilizes Vanta to scan and monitor for package vulnerabilities. Vanta enforces compliance with vulnerability SLAs based on severity.


Severity and timing

Dovetail defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Low Severity - 0.1 - 3.9

Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.

Medium Severity - 4.0 - 6.9

Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.

High Severity - 7.0 - 8.9

High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

Critical Severity - 9.0 - 10.0

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.


Remediation process

When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Compliance of vulnerability SLAs is enforced via Vanta and tracked using Clubhouse.


Vulnerability disclosure

This policy governs how security researchers should raise security concerns with us, and how we will respond.

Data security is a top priority for Dovetail, and we believe that working with skilled security researchers can identify weaknesses in any technology.

If you believe you’ve found a security vulnerability in our service, please notify us; we will work with you to resolve the issue promptly.

Disclosing a weakness

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@dovetail.com. We will acknowledge your email within ten business days.

  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.

  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Dovetail service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS).

  • Spamming.

  • Automated penetration tests or vulnerability scans.

  • Social engineering or phishing of Dovetail employees or contractors.

  • Any attacks against Dovetail’s physical property or data centers


Logging and monitoring

Dovetail application and infrastructure uses industry-standard tooling and multiple logging layers to monitor the application health and alert the engineering team when something is not working as expected.

Application logging

Dovetail utilizes Sentry, Amazon CloudWatch Logs, and Datadog for application logging and monitoring to help diagnose and fix issues within Dovetail. Application error logs are stored in Sentry for 30 days and are used to help investigate issues raised from automatic alarms raised via Sentry, Cloudwatch, and Datadog.

Infrastructure logging

Dovetail utilizes Amazon CloudWatch and Datadog to log, monitor, and alert on resource allocation and operational performance of the infrastructure of the Dovetail web application. Infrastructure logs are stored for 365 days.

Audit logging

Dovetail utilizes Amazon CloudTrail to enable governance, compliance, and operational risk auditing of operations and actions taken on Amazon infrastructure and services. Audit logs are stored indefinitely.

Dovetail also utilizes Vanta to help monitor security related events and misconfigurations. Examples include new user accounts in our IdP, employee account permission changes, publicly accessible infrastructure, IP-based rate limits, and logging not enabled on relevant resources.


Intrusion detection and prevention

Dovetail employs industry-standard techniques for detecting and preventing possible intrusions. Detected intrusions can result in escalation through incident response procedures.

IDS & IPS

Dovetail utilizes Amazon GuardDuty as an Intrusion Detection System (IDS) and as an Intrusion Prevention System (IPS).

GuardDuty continuously monitors for malicious activity and unauthorized behavior to protect Amazon Web Services accounts, workloads, and data stored in Amazon S3. GuardDuty employs machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

Firewall

Dovetail is protected by Amazon's web application firewall (WAF) and assists in blocking common web exploits and attack patterns. Dovetail manages a number of firewall rules, including rules that address issues like the OWASP Top 10 security risks.

Brute force prevention

The Dovetail web application employs log in attempt rate limited with automated account lockout and secure password reset practices to prevent against brute force attacks. We also maintain a large email domain blacklist to prevent malicious actors and spam.

Give us feedback

Was this article useful?


Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Try for free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started with a free trial


or


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy