Join thousands of product people at Insight Out Conf on April 11. Register free.

Learn
Help docs
Get in touch

Go to app
Log inStart free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerSecurityArticle

Data security and privacy

Last updated13 March 2024
Read time7 min

Table of contents


Data encryption

Dovetail utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Dovetail also have a documented cryptography policy that outlines the requirements for encrypting data and transmissions.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.

Key management

Amazon Web Services (AWS) stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.


Data retention

Deleting data

Users can delete projects and project data within Dovetail if they have the correct access rights. Deleted project data is kept in a "trash" facility within the application and can be restored for up to 30 days before it is permanently deleted. It can take up to 60 days for all data to be removed from backups.

Deleting workspaces

Users can delete their entire Dovetail workspace if they have the correct access rights. This will delete all data that you have provided to Dovetail. It can take up to 60 days for all data to be removed from backups.

Subscription cancelation

Following the cancellation of a Dovetail subscription, you will have at least 30 days to download your customer data from Dovetail. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Free subscriptions

For Free Plans, Customer Data will be retained on the Services until Customer cancels their Service Plan (in accordance with Section 8.3 of our Master Subscription Agreement.) Dovetail reserves the right to, upon prior written notice to Customer, delete accounts for Free Plans (and all Customer Data contained therein) that have been inactive for more than 60 days.


Subprocessors

To support delivery of our Services, Dovetail may engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor. Please email security@dovetail.com if you have any questions.

Amazon Web Services aws.amazon.com

  • Location: Seattle, United States (or Ireland where Customer elects to store certain workspace data in the EU – see further information about our data storage options

    here).

  • Security certifications: Privacy Shield, ISO27001, SOC3.

  • Data processed: Anonymized content, email address, IP address.

  • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.

  • DPA signed: Yes – incorporated into terms.

Delighted delighted.com

  • Location: Palo Alto, United States.

  • Security certifications: None.

  • Data processed: User name, user email address, survey responses.

  • Use: Recurring customer satisfaction survey.

  • DPA signed: Yes – 12 May 2020.

Rev rev.com

  • Location: San Francisco, United States (or Ireland where Customer elects to store certain workspace data in the EU – see further information about our data storage options here).

  • Security certifications: None.

  • Data processed: User-added content (when using transcription).

  • Use: Audio and video transcription.

  • DPA signed: Yes – 17 April 2020.

Stripe stripe.com

  • Location: San Francisco, United States.

  • Security certifications: PCI.

  • Data processed: Billing contact name, email, address, card details.

  • Use: Payment processing and subscription management.

  • DPA signed: Yes – 18 December 2020.

Twilio twilio.com

  • Location: San Francisco, United States.

  • Security certifications: Privacy Shield, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type 2.

  • Data processed: User name, email address, IP address, analytics.

  • Use: Product analytics.

  • DPA signed: Yes – 15 April 2020 (assigned from Segment)

Vero getvero.com

  • Location: Sydney, Australia.

  • Security certifications: None.

  • Data processed: User name, email address.

  • Use: Marketing and transactional emails.

  • DPA signed: Yes – 15 April 2020.


Data breach disclosure

Data breaches are an unfortunate reality that affect several organizations every year.

As a result, Dovetail is committed to taking all commercially reasonable measures to secure your customer data. This is why we are overwhelmingly transparent and about our security practices to give you the confidence in our infrastructure, processes, tooling, and policies to safeguard your data.

Dovetail has not had an identified data breach since commencing operations. In the unlikely event of a data breach, Dovetail is prepared to take steps to limit the effects of any data breach and to assist any customers potentially affected by a data breach with meeting their obligations under law.

Data breach definition

Dovetail defines a data breach as any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of access to customer data.

Notification

Dovetail will notify customers without undue delay after becoming aware of a data breach. Customers will be contacted by email and phone (when provided), and followed by multiple periodic updates throughout each day addressing progress and impact.

Australian Privacy Act

As an Australian-based business, Dovetail is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Dovetail must notify individuals about an eligible data breach when:

  • there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that Dovetail holds

  • this is likely to result in serious harm to one or more individuals, and

  • Dovetail hasn't been able to prevent the likely risk of serious harm with remedial action


Logical separation

Dovetail utilizes a multi-tenant architecture where all customers share the same computing resources. Logical separation of data between customers and correct access is enforced through PostgreSQL Row Level Security (RLS). Transaction-scoped configuration variables are leveraged in RLS policies to ensure the correct access permissions.


Software development life cycle

Dovetail maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.

Development environments

All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. Dovetail performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Version control

Dovetail employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Dovetail code base and insulates Dovetail from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code review

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved by two developers before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.

Developers are trained in evaluating code for security defects as part of code review, and automatic testing is employed to test against common security defects.

Security bugs

Security bugs represent key issues and should be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the Dovetail service. Dovetail has SLAs in place to enforce compliance with resolving security bugs within reasonable timelines.

Give us feedback

Was this article useful?


Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Start free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started for free


or


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy