Skip to main content
We want Doe to be a trusted tool in your organization, and have prioritized security, data privacy, and compliance to make it possible.

Security

All data transmission is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Production systems are routinely monitored via logging, error handling, and monitoring dashboards of live metrics. Unusual application states trigger alerts which are quickly investigated by our team.Access to our cloud environment is granted on an as-required basis based on business roles, and only a small number of employees are granted direct access to production systems.
Doe processes your data to answer questions but does not store raw data from your connected services.What We Store:
  • Your questions and Doe’s responses
  • Generated Python code and SQL queries
  • Analysis results and visualizations
  • Chat history and conversation context
What We Don’t Store:
  • Raw email content from Gmail/Outlook
  • Complete databases or tables
  • Original uploaded file contents (deleted within 24 hours)
  • Real-time data from integrations (only cached results, expired after 7 days)
Example: When you ask “Show me emails from [email protected] about contracts”, Doe queries Gmail’s API (encrypted), extracts relevant information, stores a summary (“3 emails found, topics: pricing, terms”), and discards the full email content. You see the summary and key points, not raw emails.
All employees and contractors are required to use multi-factor authentication on all work applications. All employees also receive annual training about security best practices, including password management and how to identify social engineering and phishing scams.
Doe obtained SOC 2 Type II certification in 2024. As part of the SOC 2 audit, our auditors reviewed all security policies, procedures, and internal controls related to data security, privacy, processing integrity, confidentiality, and availability.For more details about our security, please contact [email protected].
If you have identified a potential security issue, we encourage you to share your findings with us. Please send vulnerability reports to our security team at [email protected]. PGP key available upon request for sensitive reports.
Enterprise customers can enable stricter data handling:Zero Data Retention: All data deleted immediately after response (requires re-querying source systems for repeat questions)On-Premise Deployment: Deploy Doe in your own VPC or on-premise infrastructure so data never leaves your environmentComplete Audit Trails: Detailed logging of who asked what, when, which systems were accessed, and what results were provided. Logs retained for up to 7 years.Data Residency: Choose US, EU, APAC, or specific regions to comply with data sovereignty requirementsIP Allowlisting: Restrict access to specific IP ranges (office and VPN only)SSO Integration: SAML 2.0, OAuth 2.0, Azure AD, Okta, Google Workspace, and custom identity providers

Privacy & Intellectual Property

Doe processes data based on how you interact with the platform. For the web application, Doe only processes data actively provided by the authorized user asking questions. For integrations, administrators can review and manage all permissions granted to Doe.Doe uses customer data to:
  • Deliver, maintain, and update services to answer your questions
  • Troubleshoot, prevent, and resolve issues such as product bugs or security incidents
Doe does not store raw data from your connected services. When you query Gmail, Slack, or HubSpot, Doe retrieves only the specific information needed to answer your question, processes it, and stores only the analysis results and summary.
Doe retains data processed through the platform for the duration of your relationship with us, unless otherwise specified.Chat History: Retained while your account is active, deleted 30 days after account closureUploaded Files: Processed and deleted within 24 hours, only analysis results retainedIntegration Cache: Cached results expire after 7 days, fresh queries fetch new dataAudit Logs: 90 days (Standard), 1 year (Pro), custom retention up to 7 years (Enterprise)
By default, we do not use any of your data for model training purposes unless you explicitly opt-in in the Data Controls settings page.We collect anonymized usage metrics (which features are used, error rates, aggregate statistics) to improve the product, and you can opt out entirely in Settings → Privacy.If you are an Enterprise customer, we will never train on your data. Please refer to the terms in your agreement for details.
The output — analysis, code, visualizations, reports, or other work product — produced by Doe is considered your intellectual property and can be used for your commercial purposes, with the exception of using the output to train models that would attempt to reverse engineer and/or build a competing product to Doe.You own everything Doe produces for you, including:
  • Analysis results and insights
  • Generated Python code and SQL queries
  • Charts, graphs, and visualizations
  • Reports and summaries
  • Exported files
You can use, modify, share, and commercialize any output from Doe without restriction.
When connecting services like Gmail, Slack, or HubSpot, you can control which data Doe can access through OAuth permission scopes during the authorization process.Gmail Integration: Doe only sees emails you explicitly query, not your entire inbox. You can review and adjust permissions in your Google Account settings.Slack Integration: Doe doesn’t read or store any data in your Slack instance except information provided when Doe is explicitly mentioned or queried.HubSpot/Salesforce Integration: Doe queries only the specific records needed to answer your question. You can review permissions during initial connection.You can review and revoke integration permissions at any time in Settings → Integrations.
Doe maintains complete separation between organizations. Your data is isolated from other customers, and team members can only access data they have permissions for in the underlying systems.Role-Based Access: Admin, Manager, and Member roles control what users can do in DoeRespect Source Permissions: If you can’t access data in Gmail or HubSpot, you can’t query it through DoePrivate by Default: Chats are private unless explicitly shared. Admins cannot access private chats.Sharing Controls: You control who can view, comment on, or continue your conversations

User Best Practices

While Doe’s performance is continuously improving, it can still experience hallucinations, make incorrect assumptions, or provide unexpected results. Like with any analytical tool, we recommend taking appropriate precautions:
  • Review Results: Always validate important numbers and insights before making business decisions
  • Check Methodology: Use the Activity Panel to see how Doe arrived at conclusions
  • Verify Sources: Ensure Doe queried the correct data sources and time periods
  • Cross-Reference: Compare critical findings with source systems when needed
Best practice is to treat Doe as a starting point for analysis, not the final answer.
When working with sensitive data, we recommend:Use Private Chats: Don’t share chats containing confidential information unless necessaryReview Sharing Permissions: Regularly audit who has access to sensitive conversationsLeverage Role-Based Access: Ensure team members only have access to data they needEnable Enhanced Privacy Mode: Enterprise customers can enable zero data retention for sensitive workloadsMonitor Access: Use audit logs to track who accesses what data and when
When connecting integrations that require API keys or credentials:Use OAuth When Available: OAuth is more secure than API keys and can be revoked instantly through the service providerRotate Keys Regularly: Change API keys periodically and immediately after team member departuresMinimum Permissions: Grant Doe only the minimum permissions needed (read-only when possible)Monitor Access: Review audit logs to ensure integrations are only accessed when expectedSecure Storage: All API keys and tokens are encrypted with organization-specific encryption and never exposed in logs, UI, or error messages
We’re continuously improving Doe’s security and capabilities, and customer feedback is crucial for development. We strongly encourage:Product Feedback: Contact your account team or email [email protected] with feedback and feature requestsSecurity Issues: Email [email protected] with any potential vulnerabilities (PGP key available for sensitive reports)Compliance Documentation: Contact [email protected] for security questionnaires, SOC 2 reports, or data processing agreementsEnterprise Inquiries: Email [email protected] for custom security requirements or on-premise deployment

Contact Security Team

For security-related questions or concerns: General Security Questions: [email protected] Report a Vulnerability: [email protected] (PGP key available) Enterprise Security Inquiries: [email protected] Compliance Questions: [email protected]

Next Steps

Settings

Configure security settings and data retention policies

Team Management

Set up role-based access control for your organization