Dotio is a small, focused team building software that handles meaningful financial data. We treat security as a baseline, not a feature, and we try to be honest about where we stand. This page describes the controls we operate today and their limits. It is a description of our practices, not a contractual warranty; our commitments to business customers are in the Terms and DPA.
Quick summary (not a substitute for this page). Dotio runs on Amazon Web Services (storage) and uses Anthropic for the AI agents. Data is encrypted in transit and at rest, and each company's data is isolated from every other. Privileged access requires multi-factor authentication and is logged. We never sell your data or use it to train AI models; card data is handled only by Stripe. No system can ever be guaranteed 100% secure; the sections below describe the controls we operate today and their limits.
01Our approach
Defense-in-depth, sensible defaults, vetted vendors, and least privilege. We design around three assumptions:
- Networks are hostile. Traffic, internal and external, is encrypted.
- Credentials get compromised. Privileged actions require multi-factor authentication and are logged.
- Bugs happen. We patch quickly, review changes, and keep a documented response plan.
02Architecture, in plain terms
Two facts matter most for understanding how your data is handled:
- Storage is operated by Amazon Web Services (AWS). Your data lives in AWS-managed databases and object storage. We do not run our own physical hardware.
- The AI agents are powered by Anthropic. When you use AI features, relevant data and your prompts are processed by Anthropic's models and returned to you.
We select reputable providers and bind them by data-protection terms, but we do not control, and are not responsible for, how these providers operate their own internal systems. We require our AI provider not to use data submitted through the Services to train its models, and we never use your data to train AI models ourselves.
03Hosting and data location
Production runs on Amazon Web Services. AWS provides the physical security of data centers, network isolation, and hardware lifecycle; AWS facilities are SOC 2 Type II and ISO 27001 certified (AWS security).
Customer data is stored on AWS in the European Union and/or the United States. AI processing is performed by Anthropic. Where data moves between regions or providers across borders, we rely on appropriate transfer safeguards (Standard Contractual Clauses and supplementary measures) as described in our Privacy Policy and DPA.
Each Dotio environment (production, staging, development) runs in an isolated Virtual Private Cloud. Production databases are not internet-accessible; they sit in private subnets reachable only from application servers in the same VPC.
04Tenant isolation
The Services are multi-tenant. Each customer's data is logically isolated so that one customer cannot access another's data. Access controls are enforced on every request.
05Encryption
- In transit: TLS 1.2 or higher for all connections; we do not accept unencrypted HTTP; HSTS is enabled on production domains; internal service-to-service traffic is also encrypted.
- At rest: Customer data in AWS databases and object storage is encrypted at rest using AES-256 with keys managed by AWS Key Management Service (KMS). Snapshots and backups inherit the same encryption.
- Secrets: Application secrets are stored in a managed secrets store, never committed to source control or written to disk in plaintext.
06Authentication and access control
- Customer accounts: Passwords are hashed with bcrypt and a per-user salt; we never store plaintext passwords. Sessions use signed, expiring tokens with secure cookie flags. Multi-factor authentication is available.
- Internal access: Production access requires a unique named account, hardware-backed MFA, and membership in the appropriate role. Most work happens in staging; production access is granted per task and reviewed quarterly. Privileged actions are logged via AWS CloudTrail, retained in a separate account.
- Offboarding: When someone leaves, access is revoked the same business day against a documented checklist.
07Application security
Every change to production code is peer-reviewed by an engineer before merge. Automated dependency scanning and static analysis run on each build; critical/high issues block merge. We use parameterized queries/ORM (no string-concatenated SQL), output encoding to prevent XSS, and CSRF protection on state-changing requests.
08Payments
We do not store, process, or transmit card numbers. Payments are handled by Stripe, a Level 1 PCI Service Provider; card details go directly to Stripe's hosted form and never touch our servers. We store only a Stripe customer ID, card brand, and last four digits for display. Our PCI scope is limited to SAQ A.
09Backups and recovery
AWS-managed backups: continuous point-in-time recovery for the last 14 days, daily snapshots retained 35 days, and weekly snapshots retained 12 months. Backups are encrypted and stored in a separate AWS account to limit blast radius. We test restores against staging periodically. Targets: RPO 1 hour, RTO 4 hours for a full regional failure.
10Vulnerability management
We monitor for vulnerabilities via automated dependency scanning on every commit, AWS security advisories, upstream security mailing lists, and our public reporting channel. Severity is triaged on receipt: critical within 24 hours, high within 7 days, medium within 30 days.
Penetration testing. We plan to engage an independent third-party penetration test before general availability.
11Incident response
We maintain a documented incident-response plan. On a confirmed incident affecting customer data, we will: contain and remediate; investigate scope and root cause; notify affected customers without undue delay in accordance with applicable law; and provide a post-incident report. Notifications go to the primary account email. For incidents meeting the GDPR threshold, we will notify the relevant supervisory authority within 72 hours and assist controllers with their obligations.
12Subprocessors
We use a small number of vetted third parties, each bound by a written Data Processing Agreement providing equivalent or stronger protections. We give customers at least 30 days' notice before adding a new subprocessor that processes personal data; subscribe by emailing legal@getdotio.com.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI models powering the agents | United States |
| Amazon Web Services | Cloud hosting, storage, databases | EU / US |
| Stripe | Payment processing | US / Global |
| Cloudflare | DNS, CDN, DDoS protection | Global |
| Postmark | Transactional email | US |
| Google Workspace | Internal email and collaboration | US |
| Sentry | Application error monitoring | US |
If we add another AI provider to the data path, we will list it here and give notice as described above.
13Compliance posture
We are early-stage and pragmatic. We operate to the substantive controls these frameworks describe and will tell you honestly what we have today:
- GDPR / UK GDPR. We support the data-subject rights in our Privacy Policy and offer a Data Processing Addendum to customers acting as controllers.
- CCPA / US state privacy laws. We honor access, deletion, correction, and opt-out rights. See the Privacy Policy.
- PCI DSS. Card data is outsourced to Stripe; our scope is SAQ A.
- SOC 2. We have not completed a SOC 2 audit. Establishing the program is on our 2027 roadmap.
- HIPAA. Dotio is not a HIPAA Business Associate and is not designed for protected health information. Do not upload PHI.
14Reporting a security issue
If you believe you've found a vulnerability, email legal@getdotio.com with a description, steps to reproduce, and any proof-of-concept. We will acknowledge within 2 business days, give an initial assessment within 5 business days, keep you informed, and credit you (with permission) once fixed. We will not pursue legal action against researchers acting in good faith who give us reasonable time to remediate, avoid privacy violations and service disruption, and access only the minimum data needed to demonstrate the issue.