Security at Doozy

At Doozy we value your security and privacy, ensuring we follow industry best practices to keep your data safe and secure.

We are currently in the process of obtaining SOC 2 certification, and we are committed to maintaining the highest standards of security and privacy. Contact us for more information.

Here are the ways we protect your data:

Pseudonymization and encryption of personal data

Customer data is encrypted at rest with 256-bit AES.

Secure tokens for Slack, Merge and Google Calendar are further encrypted with AES-128 and rotated monthly.

Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Doozy runs on Google Cloud Infrastructure, which offers a Service Level Agreement (SLA) that guarantees a certain level of uptime and availability for services, including Firestore (with a guaranteed uptime of โ‰ฅ 99.99%) and Storage (with a guaranteed availability of โ‰ฅ 99.9%).

Data is encrypted in transit using HTTPS (โ‰ฅ TLS 1.2).

We conduct monthly vulnerability scans to ensure systems are configured correctly and are up to date.

Ability to restore the availability of and access to the Customer Personal Data in a timely manner following a physical or technical incident

Daily, weekly and point-in-time backups are encrypted and stored in multiple regions for redundancy.

Our customers have access to support through Slack Connect, with a standard SLA response time of under 12 hours, usually much quicker!

Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures used to secure Processing

Monthly scans are conducted to check for network vulnerabilities. Automated testing is run automatically for all code deploys.

User identification and authorization process and protection

Strong security measures are enforced, including password complexity and MFA to ensure access to production systems is secure.

Role-based access control is in place through groups and IAM to ensure access to data is on a strictly need-to-know basis.

Access to production data is time-limited and requires exec approval, and it is fully audited.

Protecting Customer Personal Data during transmission (in transit)

All communications are encrypted in transit over HTTPS.

Protecting Customer Personal Data during storage (at rest)

Customer data is encrypted at rest with 256-bit AES.

Physical security where Customer Personal Data is processed

Customer data is stored securely within the Google data centers, and protected 24/7 by their industry-leading security team.

Security measures include perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. Learn more here.

Events logging

Audit logs are enabled and configured for all production environments using GCP Cloud Audit Logging.

Access to production data requires C-Level approval and is time limited.

Detailed application logs are produced to track user activities, errors, exceptions and security events. On-call engineers are automatically notified of customer and security impacting issues.

Systems configuration, including default configuration

Infrastructure is running fully serverless in Google Cloud and Vercel, and security patches and updates are automatically applied.

Firebase infrastructure configuration is managed through code and reviewed via pull requests.

Internal IT and IT security governance and management

Devices are managed through an MDM, and strict policies are in place to ensure that the best security standards are being upheld by staff such as device locking, secure password policies and MFA.

Access to production systems is heavily monitored and access time-limited and audited on a need-to-know basis.

Certification or assurance of processes and products

Our infrastructure runs on Google Cloud, which maintains a wide range of industry certifications, including ISO 27001, SOC 2, and others, which reflect its commitment to security and compliance. These certifications extend to the infrastructure services used.

All subprocessors handling customer data are SOC2 or ISO 27001 compliant.

The SOC 2 certification process is planned for Q1 2024.

Ensuring data minimization:

Doozy follows a strict data collection and processing policy. We collect and retain only the data necessary for specific, well-defined purposes.

We regularly review and minimize the data we hold, ensuring its relevance and accuracy. Access to this data is tightly controlled, and data subjects' rights, including the right to access and erasure, are respected.

Ensuring data quality

Data is kept up to date through periodic and real-time syncs between external systems such as Merge, Slack, and Google Calendar.

Thorough unit and integration testing is in place to ensure these systems are communicating and storing data correctly.

Ensuring limited data retention

Doozy only retains data for as long as needed to fulfill contractual and regulatory requirements. Once that is no longer the case, data is deleted within 30 days.

Regular data audits are performed to ensure data is not being stored for longer than necessary.

Ensuring accountability

We maintain accountability by assigning clear roles and responsibilities for data protection, conducting regular audits, and adhering to data protection regulations.

Allowing data portability and erasure

Customers can request an export of their data which will be provided in a machine-readable format (JSON) made available to them securely within 30 days of request.

Data erasure requests are honored within 10 days, ensuring data is securely deleted in compliance with GDPR.

Secure Infrastructure

Google Cloud

We utilise Google Cloud for our primary backend infrastructure.

Your data is stored in Firestore and automatically encrypted using 256-bit advanced encryption. Learn more

Google Cloud is SOC 2 and ISO 27001 certified. You can learn more about Google Cloud compliance here.

Vercel

Our front-end app is hosted on Vercel and all requests are secured with industry standard encryption.

Vercel is SOC2 and GDPR compliant.

Learn more about security at Vercel here

Daily.co

We use Daily.co to provide the Video + Audio features with Doozy. Daily.co are an industry leader using the latest best practices in Security. All calls are encrypted and no audio or video data is stored on ours or Daily.Co's servers.

Daily.co are SOC2 and GDPR compliant.

You can learn more about Daily.co and their security practices in their Security Centre

Merge

We partner with Merge to provide HRIS integrations.

Merge are SOC2 and GDPR compliant.

You can learn more about Merge and their security practices in their Security Centre

Operational security

We have a number of policies in place to ensure our systems stay secure including:

  • Requiring 2FA to access production systems and we operate on the principle of least privilege. Access to our core systems is audited and reviewed regularly.
  • All code changes must be reviewed and tested before being deployed.
  • All data is encrypted at rest and in transit.
  • Slack, Calendar and HRIS tokens are further encrypted.
  • Dependencies are regularly updated and we use Dependabot and Snyk to alert us of vulnerabilities.
  • We run on serverless infrastructure, with security patches applied automatically by Google and Vercel.

Reach out to our team to request a completed Vendor Security Alliance (VSA) questionnaire.

PCI Obligations

All payments are made through Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.

If you have any questions, get in touch with the team at security@doozy.live

We can provide a completed Vendor Security Alliance (VSA) questionnaire on request. Please email security@doozy.live for more information.