Dovetail is a cloud-based user research and customer feedback software for analysis, organization, collaboration and storage of user and customer data. With Dovetail, researchers, analysts, designers, and product managers can store user research data in one place, analyze qualitative data to discover patterns and insights, and share research findings with the rest of their organization.
When provisioning a user account, users must provide personal information such as their email address, full name, and optionally, a profile photo.
While using the services, authorized users can upload, import via CSV or Zapier, or directly enter any data such as text, images, audio, video, or any other files.
To best understand the data that you expect to store in Dovetail, we recommend talking to the individuals and end-users who will be using Dovetail. Most Dovetail customers will store research data such as interview recordings, transcripts, survey responses, customer feedback, photographs, and other research data. The data that you enter into Dovetail may vary depending on the use cases of your individual end-users.
Dovetail offers multiple ways to log in to a workspace including SSO.
Admins of workspaces on the Team plan and above can enforce users to authenticate to Dovetail in one click via OAuth 2.0 using their Google or Microsoft account. If they use OAuth 2.0 to create their account, they’ll never need to set a password with us to log in.
Business and Enterprise admins can also configure an SSO integration with Auth0, Azure Active Directory, Okta, Google Cloud Identity or any other identity provider that supports OpenID Connect. Enterprise customers also have the ability to enforce SSO for all users in the workspace and disable other log in methods.
Dovetail employs industry-standard techniques for password management, encryption, storage, complexity, and reset.
Encryption and storage - The Dovetail web application user authentication system uses
Bcrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the 'pepper' is stored independently from the database.
Complexity standard - The Dovetail web application enforces a strong password complexity standard and require user passwords to have at least 12 characters, 1 lower case character, 1 upper case character, 1 number and 1 special character.
Failed login attempts - The Dovetail web application prevents brute force attacks (for password based authentication) by locking the targeted user account after 5 failed attempts. A notification email is sent to the user that includes a link that can be used to unlock the account.
Secure reset - In the event that a user forgets their password, a user can request their password be reset via a link that is sent to the user's verified email address. This link expires within a limited amount of time if not used.
Password managers - Dovetail encourages customers and users to leverage a password manager to maintain, store, and fill strong passwords when using Dovetail.
We've made it easy to effortlessly share, edit, and collaborate on projects with your team in Dovetail. With the ability to assign various access levels, you have full control over how others can access and interact with your data. Learn how to configure sharing and access controls
Dovetail workspaces can be configured to add another level of security by restricting user provisioning to verified email addressers at your approved domain names.
This prevents your users from inviting external users from outside of your organization and helps to enforce that your data is also accessed by those within your corporate network through your managed domains. Learn how to configure allowed domains for your workspace.
Dovetail provides the ability for individual users to manage the active sessions where they are logged into their account. Users can review their active sessions to proactively manage security of their account and prevent against unauthorized access.
For each logged in session we display the date, time, IP address, as well as the type of device used to access your account. Users also have the option to end any active session at any time.
When a user attempts to download a file, Dovetail performs a virus scan. If a virus is detected, the file cannot be downloaded. The virus scanning excludes files processed by Dovetail, such as highlight reels and files larger than 100 MB. If the file cannot be scanned, we caution the user and allow them to download it after acknowledging the warning. We update our virus definitions daily.
Our HIPAA add-on is available for customers on the Enterprise plan and comes with access controls and features to help manage PHI, such as advanced restrictions on sharing, access, and data exporting. Key features include:
Ability for users to export CSV files disabled by default
Ability for users to download video files disabled by default
Public access to, and sharing of, insights disabled by default
Enforced authentication via SSO with email/password authentication disabled
All sub-processors processing ePHI have entered into a BAA with Dovetail
Ability to enter into a Business Associate Agreement (’BAA’) with Dovetail
While the Dovetail HIPAA workspace provides customers with greater access controls to help manage PHI, it is important to note that it is the responsibility of the workspace admin to control who within their organization has access to the contents of the workspace.
Please note that the transcription functionality in our HIPAA workspace is available in English language only.
Security, reliability, privacy, and compliance is at the heart of everything we do at Dovetail. Ensuring the safety and privacy of your data is baked into everyday processes throughout our organization.
Explore further security information, keep up-to-date with real-time monitoring and request access to Dovetail's security documentation on our trust center.Open trust center
Dovetail has received a SOC 2 Type II report demonstrating that Dovetail has the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.
A SOC 2 report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Dovetail. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA). The engagement was performed by BARR Advisory, P.A.
Dovetail was assessed against the AICPA's Trust Service Criteria of:
Security (also known as Common Criteria)
Our recent Type II audit is the most robust type and set out to prove that we had controls in place for a sustained period of time, exhibiting reliable and consistent safeguards in place to protect our customer's data. Our reporting period concluded 31 December 2022.
Dovetail is committed to carrying out an annual SOC 2 audit.
The testing follows a consistent and structured approach, and represents a point in time assessment of the nature and extent of potential or existing exposures that may lead to a compromise of the environment.
Testing is based on best practice methodologies, such as the Open Web Application Security Project (OWASP) guides (which goes beyond the OWASP Top 10 and includes 109 tests) and CWE/SANS Top 25 Most Dangerous Software Errors, in combination with other in-house developed processes and methodologies.
Dovetail has engaged CyberCX cybersecurity consultants to perform web application penetration testing on an ongoing basis.
All payments made to Dovetail are securely processed via Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Cloud Security Alliance - Dovetail supports Cloud Security Alliance efforts to raise awareness of best practices to ensure secure cloud computing. Dovetail participates in the CSA Security, Trust & Assurance and Risk (STAR) provider certification program. You can review our registration on the STAR registry.
Vendor Security Alliance - Dovetail supports the Vendor Security Alliance initiative to standardize the vendor due diligence process. To assist with organizations who have adopted this standard, we have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire. Please contact us for a copy.
McAfee Enterprise-Ready - Dovetail has been awarded the McAfee Enterprise-Ready seal (formerly Skyhigh Networks Enterprise-Ready), having earned the highest CloudTrust rating possible based on attributes across the data, user and device, security, business, and legal evaluation categories.
We store data in Amazon Web Services (AWS) who is our primary infrastructure provider.
When creating a workspace in Dovetail, you can choose to store the data you upload to that workspace in the United States or Europe.
If you choose the United States, your workspace data will be stored in us-east-1 (North Virginia) and if you choose Europe, your workspace data will be stored in eu-west-1 (Ireland).
Notwithstanding the selection you make regarding your workspace data, other categories of data (such as product analytics data, account billing and contact data, workspace URLs, access and operational logs, and support-related data) will continue to be transferred to, and stored in, the United States.
Additionally, where your workspace data is processed by one of our sub-processors, this data may continue to be processed outside Europe, depending on the location of the relevant sub-processor.
New workspaces created after 14 April 2023 are able to select whether they would like their workspace data stored in the United States or Europe.
This selection can be made when creating your workspace for the first time and cannot be changed afterwards.
At this point in time, we do not support migrating workspaces across regions.
You can view which region your data is stored in by navigating to workspace details in workspace settings.
We understand research data can contain a lot of personal information or commercially sensitive information, and participants trust you to keep it safe. That’s why we are committed to keeping this data secure and confidential.
We employ a number of technical and organizational measures to protect your data when you use Dovetail, and your use of our AI features is no exception. For example, we limit the number of sub-processors we use, and our AI features are powered by tailored AI infrastructure on top of Amazon Web Services (AWS).
We understand that many organizations have vendor risk management processes in place, and we want to be transparent in how we operate, secure, and manage our services at Dovetail.
This is why we have published detailed information on topics such as product security features, infrastructure and network security, data security and privacy, business continuity and disaster recovery, corporate security, compliance, and more.
We have provided this information to assist organizations in conducting their own due diligence on the security and operation of the Dovetail service, without delay or the need for your teams to work through our lengthy questionnaire responses.
To help with your processes, we have pre-completed responses for the standard vendor self-assessment questionnaire formats available to request on our Dovetail trust center. If your process is based on any of the standardized questionnaires, we have pre-completed responses available for the following standards:
If your organization has non-standard, bespoke requirements or custom questionnaires that you want us to complete, please note that we only offer this service for those purchasing a Business or Enterprise workspace.
Give us feedback
Was this article useful?