Built like it holds your budget. Because it does.

Every record in Dott is scoped to your organization with row-level security enforced at the database layer. API routes verify org membership before answering — every API route that touches org data verifies membership server-side, on every request.

Integrations use OAuth with encrypted token storage, CSRF state validation, and automatic token refresh. Dott reads only what you point it at — labeled email threads, connected calendars, transcripts you approve. No bots join your calls. Consent-driven, always.

Dott's agents run behind input guardrails (prompt-injection blocking, org-scoped context only) and output guardrails (safety filters, human-in-the-loop review for sensitive actions). Every agent run is logged. Your data is never used to train models.

Read-only by design. Scoped API keys (hashed at rest, revocable instantly), per-request isolation, rate limits, and a full audit log on every call. Scoring internals and sensitive fields are blocked at the tool layer. Read the MCP docs →

Rate limiting and bot protection (Arcjet) · input validation on API surfaces (Zod) · timing-safe comparison on all secret checks · registration honeypots · error tracking and monitoring (Sentry) · audit logging across the platform.

All traffic is encrypted in transit (TLS) and data is encrypted at rest (AES-256, hosted on Supabase/AWS, US region). Daily backups with 7-day point-in-time recovery — restore procedure tested June 2026.

Two internal security audit passes (April–May 2026) found and closed 35 issues before launch. Continuous dependency and static-analysis scanning runs on every change. Responsible disclosure welcome at hello@usedott.com.

GDPR and CCPA/CPRA rights honored (access, export, correction, deletion — see Privacy). Account deletion is self-serve. Dott is not yet SOC 2 certified — certification is on the roadmap as the company grows. Everything on this page is what we do today.