At Doozy we value your security and privacy, ensuring we follow industry best practices to keep your data safe and secure.
Here are the ways we protect your data:
Customer data is encrypted at rest with 256-bit AES.
Secure tokens for Slack, Merge and Google Calendar are further encrypted with AES-128 and rotated monthly.
Doozy runs on Google Cloud Infrastructure, which offers a Service Level Agreement (SLA) that guarantees a certain level of uptime and availability for services, including Firestore (with a guaranteed uptime of โฅ 99.99%) and Storage (with a guaranteed availability of โฅ 99.9%).
Data is encrypted in transit using HTTPS (โฅ TLS 1.2).
We conduct monthly vulnerability scans to ensure systems are configured correctly and are up to date.
Daily, weekly and point-in-time backups are encrypted and stored in multiple regions for redundancy.
Our customers have access to support through Slack Connect, with a standard SLA response time of under 12 hours, usually much quicker!
Monthly scans are conducted to check for network vulnerabilities. Automated testing is run automatically for all code deploys.
Strong security measures are enforced, including password complexity and MFA to ensure access to production systems is secure.
Role-based access control is in place through groups and IAM to ensure access to data is on a strictly need-to-know basis.
Access to production data is time-limited and requires exec approval, and it is fully audited.
All communications are encrypted in transit over HTTPS.
Customer data is encrypted at rest with 256-bit AES.
Customer data is stored securely within the Google data centers, and protected 24/7 by their industry-leading security team.
Security measures include perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. Learn more here.
Audit logs are enabled and configured for all production environments using GCP Cloud Audit Logging.
Access to production data requires C-Level approval and is time limited.
Detailed application logs are produced to track user activities, errors, exceptions and security events. On-call engineers are automatically notified of customer and security impacting issues.
Infrastructure is running fully serverless in Google Cloud and Vercel, and security patches and updates are automatically applied.
Firebase infrastructure configuration is managed through code and reviewed via pull requests.
Devices are managed through an MDM, and strict policies are in place to ensure that the best security standards are being upheld by staff such as device locking, secure password policies and MFA.
Access to production systems is heavily monitored and access time-limited and audited on a need-to-know basis.
Our infrastructure runs on Google Cloud, which maintains a wide range of industry certifications, including ISO 27001, SOC 2, and others, which reflect its commitment to security and compliance. These certifications extend to the infrastructure services used.
All subprocessors handling customer data are SOC2 or ISO 27001 compliant.
The SOC 2 certification process is planned for Q1 2024.
Doozy follows a strict data collection and processing policy. We collect and retain only the data necessary for specific, well-defined purposes.
We regularly review and minimize the data we hold, ensuring its relevance and accuracy. Access to this data is tightly controlled, and data subjects' rights, including the right to access and erasure, are respected.
Data is kept up to date through periodic and real-time syncs between external systems such as Merge, Slack, and Google Calendar.
Thorough unit and integration testing is in place to ensure these systems are communicating and storing data correctly.
Doozy only retains data for as long as needed to fulfill contractual and regulatory requirements. Once that is no longer the case, data is deleted within 30 days.
Regular data audits are performed to ensure data is not being stored for longer than necessary.
We maintain accountability by assigning clear roles and responsibilities for data protection, conducting regular audits, and adhering to data protection regulations.
Customers can request an export of their data which will be provided in a machine-readable format (JSON) made available to them securely within 30 days of request.
Data erasure requests are honored within 10 days, ensuring data is securely deleted in compliance with GDPR.
We utilise Google Cloud for our primary backend infrastructure.
Your data is stored in Firestore and automatically encrypted using 256-bit advanced encryption. Learn more
Google Cloud is SOC 2 and ISO 27001 certified. You can learn more about Google Cloud compliance here.
Our front-end app is hosted on Vercel and all requests are secured with industry standard encryption.
Vercel is SOC2 and GDPR compliant.
Learn more about security at Vercel here
We use Daily.co to provide the Video + Audio features with Doozy. Daily.co are an industry leader using the latest best practices in Security. All calls are encrypted and no audio or video data is stored on ours or Daily.Co's servers.
Daily.co are SOC2 and GDPR compliant.
You can learn more about Daily.co and their security practices in their Security Centre
We partner with Merge to provide HRIS integrations.
Merge are SOC2 and GDPR compliant.
You can learn more about Merge and their security practices in their Security Centre
We have a number of policies in place to ensure our systems stay secure including:
Reach out to our team to request a completed Vendor Security Alliance (VSA) questionnaire.
All payments are made through Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.
If you have any questions, get in touch with the team at security@doozy.live
We can provide a completed Vendor Security Alliance (VSA) questionnaire on request. Please email security@doozy.live for more information.