Go to app
Log inGet Dovetail free


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us

© Dovetail Research Pty. Ltd.

TermsPrivacy Policy
Help centerSecurityArticle

Security information

Last updated26 May 2024
Read time10 min


What is Dovetail?

Dovetail is a cloud-based user research and customer feedback software for analysis, organization, collaboration and storage of user and customer data. With Dovetail, researchers, analysts, designers, and product managers can store user research data in one place, analyze qualitative data to discover patterns and insights, and share research findings with the rest of their organization.

What data does Dovetail store?

When provisioning a user account, users must provide personal information such as their email address, full name, and optionally, a profile photo.

While using the services, authorized users can upload, import via CSV or Zapier, or directly enter any data such as text, images, audio, video, or any other files.

To best understand the data that you expect to store in Dovetail, we recommend talking to the individuals and end-users who will be using Dovetail. Most Dovetail customers will store research data such as interview recordings, transcripts, survey responses, customer feedback, photographs, and other research data. The data that you enter into Dovetail may vary depending on the use cases of your individual end-users.

What are Dovetail's security features?

Authentication options and SSO

Dovetail offers multiple ways to log in to a workspace including SSO.

  • Users can authenticate to Dovetail on all plans via Google, Microsoft, or by setting a unique password.

  • Enterprise workspaces have the ability to allow their users to log in or sign up using specific authentication options by enabling or disabling options to their desired configuration.

  • Enterprise admins can also configure an SSO integration with Auth0, Azure Active Directory, Okta, Google or any other identity provider that supports OpenID Connect.


Dovetail employs industry-standard techniques for password management, encryption, storage, complexity, and reset.

  • Encryption and storage - The Dovetail web application user authentication system uses

    Bcrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the 'pepper' is stored independently from the database.

  • Complexity standard - The Dovetail web application enforces a strong password complexity standard and require user passwords to have at least 12 characters, 1 lower case character, 1 upper case character, 1 number and 1 special character.

  • Failed login attempts - The Dovetail web application prevents brute force attacks (for password based authentication) by locking the targeted user account after 5 failed attempts. A notification email is sent to the user that includes a link that can be used to unlock the account.

  • Secure reset - In the event that a user forgets their password, a user can request their password be reset via a link that is sent to the user's verified email address. This link expires within a limited amount of time if not used.

  • Password managers - Dovetail encourages customers and users to leverage a password manager to maintain, store, and fill strong passwords when using Dovetail.

Sharing and access control

  • We've made it easy to effortlessly share, edit, and collaborate on projects with your team in Dovetail. With the ability to assign various access levels, you have full control over how others can access and interact with your data. Learn how to configure sharing and access controls

Domain allow listing

  • Dovetail workspaces can be configured to add another level of security by restricting user provisioning to verified email addresses at your approved domain names.

  • This prevents your users from inviting external users from outside of your organization and helps to enforce that your data is also accessed by those within your corporate network through your managed domains. Learn how to configure allowed domains for your workspace.

Session management

  • Dovetail provides the ability for individual users to manage the active sessions where they are logged into their account. Users can review their active sessions to proactively manage security of their account and prevent against unauthorized access.

  • For each logged in session we display the date, time, IP address, as well as the type of device used to access your account. Users also have the option to end any active session at any time.

Virus scanning

  • When a user attempts to download a file, Dovetail performs a virus scan. If a virus is detected, the file cannot be downloaded. The virus scanning excludes files processed by Dovetail, such as highlight reels and files larger than 100 MB. If the file cannot be scanned, we caution the user and allow them to download it after acknowledging the warning. We update our virus definitions daily.


  • Our HIPAA add-on is available for customers on the Enterprise plan and comes with access controls and features to help manage PHI, such as advanced restrictions on sharing, access, and data exporting. Key features include:

    • Ability for users to export CSV files disabled by default

    • Ability for users to download video files disabled by default

    • Public access to, and sharing of, insights disabled by default

    • Enforced authentication via SSO with email/password authentication disabled

    • All sub-processors processing ePHI have entered into a BAA with Dovetail

    • Ability to enter into a Business Associate Agreement (’BAA’) with Dovetail

  • While the Dovetail HIPAA workspace provides customers with greater access controls to help manage PHI, it is important to note that it is the responsibility of the workspace admin to control who within their organization has access to the contents of the workspace.

  • Please note that the transcription functionality in our HIPAA workspace is available in English language only.

Compliance and documentation

Security, reliability, privacy, and compliance is at the heart of everything we do at Dovetail. Ensuring the safety and privacy of your data is baked into everyday processes throughout our organization.

Trust center

Explore further security information, keep up-to-date with real-time monitoring and request access to Dovetail's security documentation on our trust center.

Open trust center

SOC 2 Type II

Dovetail has received a SOC 2 Type II report demonstrating that Dovetail has the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.

A SOC 2 report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Dovetail. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA). The engagement was performed by BARR Advisory, P.A.

Dovetail was assessed against the AICPA's Trust Service Criteria of:

  • Security (also known as Common Criteria)

  • Availability

  • Confidentiality

Our recent Type II audit is the most robust type and set out to prove that we had controls in place for a sustained period of time, exhibiting reliable and consistent safeguards in place to protect our customer's data. Our reporting period concluded 31 December 2022.

Dovetail is committed to carrying out an annual SOC 2 audit.

Penetration testing

The testing follows a consistent and structured approach, and represents a point in time assessment of the nature and extent of potential or existing exposures that may lead to a compromise of the environment.

Testing is based on best practice methodologies, such as the Open Web Application Security Project (OWASP) guides (which goes beyond the OWASP Top 10 and includes 109 tests) and CWE/SANS Top 25 Most Dangerous Software Errors, in combination with other in-house developed processes and methodologies.

Dovetail has engaged CyberCX cybersecurity consultants to perform web application penetration testing on an ongoing basis.


All payments made to Dovetail are securely processed via Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

Security alliances

  • Cloud Security Alliance - Dovetail supports Cloud Security Alliance efforts to raise awareness of best practices to ensure secure cloud computing. Dovetail participates in the CSA Security, Trust & Assurance and Risk (STAR) provider certification program. You can review our registration on the STAR registry.

  • Vendor Security Alliance - Dovetail supports the Vendor Security Alliance initiative to standardize the vendor due diligence process. To assist with organizations who have adopted this standard, we have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire. Please contact us for a copy.

  • McAfee Enterprise-Ready - Dovetail has been awarded the McAfee Enterprise-Ready seal (formerly Skyhigh Networks Enterprise-Ready), having earned the highest CloudTrust rating possible based on attributes across the data, user and device, security, business, and legal evaluation categories.

Where does Dovetail store data?

We store data in Amazon Web Services (AWS) who is our primary infrastructure provider.

When creating a workspace in Dovetail, you can choose to store the data you upload to that workspace in the United States, Australia or Europe.

  • If you choose the United States, your workspace data will be stored in us-east-1 (North Virginia) or us-east-2 (Ohio).

  • If you choose Europe, your workspace data will be stored in eu-west-1 (Ireland).

  • If you choose Australia, your workspace data will be stored in ap-southeast-2 (Sydney).

Notwithstanding the selection you make regarding your workspace data, other categories of data (such as product analytics data, account billing and contact data, workspace URLs, access and operational logs, and support-related data) will continue to be transferred to, and stored in, the United States.

Additionally, where your workspace data is processed by one of our sub-processors, this data may continue to be processed outside the region you select, depending on the location of the relevant sub-processor or the function that the product requires.

How can I choose where my data is stored?

New workspaces created after 14 April 2023 are able to select whether they would like their workspace data stored in the United States, Australia or Europe.

This selection can be made when creating your workspace for the first time and cannot be changed afterwards.

  • Please note: When selecting United States, you will be automatically assigned to either us-east-1 (North Virginia) or us-east-2 (Ohio).

Can I change the region that my workspace’s data is stored in?

We do not support migrating workspaces across regions.

How can I view where my data is stored?

You can view which region your data is stored in by navigating to workspace details in workspace settings.

Will my data be secure if I use Dovetail AI?

We understand research data can contain a lot of personal information or commercially sensitive information, and participants trust you to keep it safe. That’s why we are committed to keeping this data secure and confidential.

We employ a number of technical and organizational measures to protect your data when you use Dovetail, and your use of our AI features is no exception. For example, we limit the number of sub-processors we use, and our AI features are powered by tailored AI infrastructure on top of Amazon Web Services (AWS).

You can read more about our data handling practices in our MSA (see in particular section 4, section 6 and section 11), our privacy policy, our data processing agreement, and our Dovetail trust center.

Do you fill out security assessments?

We understand that many organizations have vendor risk management processes in place, and we want to be transparent in how we operate, secure, and manage our services at Dovetail.

This is why we have published detailed information on topics such as product security features, infrastructure and network security, data security and privacy, business continuity and disaster recovery, corporate security, compliance, and more.

We have provided this information to assist organizations in conducting their own due diligence on the security and operation of the Dovetail service, without delay or the need for your teams to work through our lengthy questionnaire responses.

Standardized questionnaires

To help with your processes, we have pre-completed responses for the standard vendor self-assessment questionnaire formats available to request on our Dovetail trust center. If your process is based on any of the standardized questionnaires, we have pre-completed responses available for the following standards:

Custom questionnaires

If your organization has non-standard, bespoke requirements or custom questionnaires that you want us to complete, please note that we only offer this service for those purchasing an Enterprise workspace.

Give us feedback

Was this article useful?


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us
© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started for free


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy