Trust & Security
Dagronhandles sensitive engineering, payroll, and financial data. Here's how we keep it safe.
Encryption
All customer data is encrypted at rest (AES-256-GCM for sensitive credentials, AWS-managed encryption for the database) and in transit (TLS 1.2+ enforced). Integration credentials (GitHub, Jira, HRIS) are encrypted with a separate envelope key, never logged, and rotatable without downtime.
Authentication & access
We support GitHub OAuth and email magic-link sign-in today, with SAML SSO available for Enterprise. Role-based access control isolates finance reviewers, engineering reviewers, and viewers — every customer org is fully data-isolated at the database query layer.
Subprocessors
- • Vercel — application hosting (US regions)
- • Neon — Postgres database (US regions, encrypted at rest)
- • Anthropic — AI classification reasoning
- • OpenAI — text embeddings (project-engine clustering)
- • Vanta — security automation & compliance monitoring
- • Resend — transactional email
Customer data is never used to train AI models.
Compliance roadmap
- • SOC 2 Type 1 — Audit in progress, target Q3 2026
- • SOC 2 Type 2 — Following Type 1, ~6 month observation period
- • GDPR — DPA available on request for EU customers
- • HIPAA — On request for healthcare-org customers
Incident response
We notify affected customers within 72 hours of any confirmed security incident. Our incident response policy includes detection, containment, eradication, recovery, and post-mortem steps. Customers can reach our security team at security@example.com.
Vulnerability disclosure
If you believe you've found a security vulnerability, please email security@example.com. We respond within 1 business day and credit responsible disclosures on this page.
Security FAQ
Common questions from customer security reviews. For anything not covered here, email security@example.com.
›Where is customer data stored?
All customer data is stored in Postgres (Neon, US regions) with AES-256 encryption at rest. Sensitive integration credentials (OAuth tokens, GitHub installation IDs) are wrapped with a separate AES-256-GCM envelope key derived from a server-side secret.
›Who can access customer data internally?
Production database access is limited to the engineering on-call rotation, with all access logged and reviewed monthly. Customer data is never exported to local machines. Support investigations require explicit customer authorization for anything beyond metadata-level diagnostics.
›How is data isolated between customer organizations?
Every database query is scoped by
organizationId at the application layer, with foreign-key constraints ensuring rows can't reference data from another org. We do not rely on row-level security as the only defense — application-layer scoping is the primary control.›Do you use customer data to train AI models?
Never. When we use Anthropic for classification reasoning or OpenAI for project-engine embeddings, we send only project-level metadata, and our contracts with both providers explicitly prohibit training on submitted data. We do not have any first-party AI models that would be trained on customer data.
›How do you handle customer authentication?
We support GitHub OAuth and email magic-link sign-in via Auth.js v5 with database-backed sessions (no JWT-in-cookie pattern). Sessions auto-expire after 30 days of inactivity. SAML SSO via Okta or Azure AD is available on Enterprise plans.
›What's your incident response process?
We follow a documented IR playbook: detect → contain → eradicate → recover → post-mortem. Affected customers are notified within 72 hours of any confirmed security incident, with a written post-mortem within 30 days. Our incident response policy is available for review under NDA.
›What's your business continuity / disaster recovery plan?
The database has continuous point-in-time recovery (Neon managed). Application code is deployed via Vercel with automatic rollback on failed health checks. RTO target: 4 hours. RPO target: 5 minutes. We test restore procedures quarterly.
›Are you SOC 2 compliant?
We're actively pursuing SOC 2 Type 1, with our audit scheduled for Q3 2026. Our security program is monitored continuously via Vanta. Type 2 will follow Type 1 by ~6 months (the standard observation period).
›Are you GDPR-compliant?
Yes. We act as a data processor for our customers, who are the data controllers for their employees' personal data. A standard DPA based on the EU SCCs is available on request. EU customers' data is currently stored in US regions; an EU region is on our roadmap.
›What happens to my data if I cancel?
You can export your data at any time via the in-app CSV export. On account deletion, we delete all customer data within 30 days, except where retention is required by law. A complete data export including raw integration metadata is available on request before deletion.
›Where can I find your security questionnaire response?
We respond to standard CAIQ and SIG-Lite questionnaires within 5 business days. Email security@example.com with your questionnaire and we'll return a completed response under mutual NDA.