Dovetail utilizes industry-standard cloud infrastructure vendors to provide the Dovetail service. Dovetail's infrastructure is primarily managed through Amazon Web Services, and is complemented by additional secondary infrastructure vendors to provide specific features within the Dovetail web application, like natural language processing and transcription.
Principally, the Dovetail web application leverages Amazon Web Services for infrastructure hosting.
The Dovetail web application is hosted in the Amazon Web Services us-east-1 region located in North Virginia, United States.
Amazon Web Services has been granted formal certification, attestation, and audit reports for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and more – the full list of compliance resources is available on the Amazon Web Services Security page.
Dovetail also makes use of secondary cloud infrastructure providers to process data for specific features of the web application. The use of these features is optional within the web application.
Data is sent to these providers temporarily and stored for a brief period of time in order to perform the functionality of the feature, and is subsequently permanently deleted after the functionality has been performed. No data is permanently stored or hosted within these infrastructure providers.
Dovetail utilizes Rev.ai for automated audio transcription. Upon use of the Dovetail web application’s automated transcription feature, the audio file to be transcribed is sent to Rev.ai. All communication with Rev.ai is encrypted in transit using HTTPS and Transport Layer Security 1.2. Audio files temporarily stored with Rev.ai are encrypted at rest.
Audio files sent to Rev.ai for transcription are deleted immediately through explicit request after the finalized transcript is received by the Dovetail web application. In addition this, an automated deletion policy has been configured to automatically delete all completed transcription jobs sent to Rev.ai every 24 hours.
All Rev.ai data is hosted and processed using Amazon Web Services facilities in the United States – this is the same environment that described above as the primary infrastructure provider.
All Dovetail employees have limited access to Dovetail infrastructure and systems and access is always provisioned on a minimum-necessary, least-privilege, basis.
Access is only granted on a need-to-use basis, based on the responsibilities and duties of the employee.
Dovetail employs database roles to obscure all customer data to prevent access during day to day operations. During a support case, if it is absolutely necessary to view customer data to troubleshoot the issue, we will seek written permission from the customer first via email. Access to unobfuscated data must be approved by a manager and is only granted temporarily on a need-to-use-basis.
Every Dovetail employee has unique authentication details that identify them when accessing infrastructure systems, assets, and applications. Multi-factor authentication is enforced and passwords must be rotated every 90 days.
Dovetail utilizes Amazon Web Services as the principal web application infrastructure. Amazon Web Services data centers feature a layered security model, including extension safeguards such as:
custom-designed electronic access cards
motion alarms and sensors
Dovetail employees do not have physical access to Amazon Web Services data centers, servers, network equipment, or storage.
Dovetail has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.
Dovetail utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.
Dovetail employs automated and integrated security scans of the web application through Detectify. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.
Dovetail subscribes to GitHub's security alerts program. If GitHub detects a vulnerability from the GitHub Advisory Database or WhiteSource in one of the web application's dependencies, the engineering team is notified.
Dovetail utilizes Kandji for fleet management and endpoint security. Kandji automatically configures employee hardware in accordance with our asset management policy.
Dovetail utilizes Amazon ECR image scanning to identify vulnerabilities in container images. Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) from the open-source Clair project to scan and alert on known container vulnerabilities.
Dovetail utilizes Vanta to scan and monitor for package vulnerabilities. Vanta enforces compliance with vulnerability SLAs based on severity.
Dovetail defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.
Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.
High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.
Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.
When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Compliance of vulnerability SLAs is enforced via Vanta and tracked using Clubhouse.
This policy governs how security researchers should raise security concerns with us, and how we will respond.
Data security is a top priority for Dovetail, and we believe that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in our service, please notify us; we will work with you to resolve the issue promptly.
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within ten business days.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Dovetail service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we’d like you to refrain from:
Distributed Denial of Service (DDoS).
Automated penetration tests or vulnerability scans.
Social engineering or phishing of Dovetail employees or contractors.
Any attacks against Dovetail’s physical property or data centers
Dovetail application and infrastructure uses industry-standard tooling and multiple logging layers to monitor the application health and alert the engineering team when something is not working as expected.
Dovetail utilizes Sentry, Amazon CloudWatch Logs, and Datadog for application logging and monitoring to help diagnose and fix issues within Dovetail. Application error logs are stored in Sentry for 30 days and are used to help investigate issues raised from automatic alarms raised via Sentry, Cloudwatch, and Datadog.
Dovetail utilizes Amazon CloudWatch and Datadog to log, monitor, and alert on resource allocation and operational performance of the infrastructure of the Dovetail web application. Infrastructure logs are stored for 365 days.
Dovetail utilizes Amazon CloudTrail to enable governance, compliance, and operational risk auditing of operations and actions taken on Amazon infrastructure and services. Audit logs are stored indefinitely.
Dovetail also utilizes Vanta to help monitor security related events and misconfigurations. Examples include new user accounts in our IdP, employee account permission changes, publicly accessible infrastructure, IP-based rate limits, and logging not enabled on relevant resources.
Dovetail employs industry-standard techniques for detecting and preventing possible intrusions. Detected intrusions can result in escalation through incident response procedures.
Dovetail utilizes Amazon GuardDuty as an Intrusion Detection System (IDS) and as an Intrusion Prevention System (IPS).
GuardDuty continuously monitors for malicious activity and unauthorized behavior to protect Amazon Web Services accounts, workloads, and data stored in Amazon S3. GuardDuty employs machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Dovetail is protected by Amazon's web application firewall (WAF) and assists in blocking common web exploits and attack patterns. Dovetail manages a number of firewall rules, including rules that address issues like the OWASP Top 10 security risks.
The Dovetail web application employs log in attempt rate limited with automated account lockout and secure password reset practices to prevent against brute force attacks. We also maintain a large email domain blacklist to prevent malicious actors and spam.
Give us feedback
Was this article useful?