Trust Center
Dobby is The Data Policy Platform for AI — and we treat security the way procurement reviewers ask us to. This page describes our security posture, compliance status, data protection controls, and sub-processors. No claims we haven't earned.
Compliance Status
SOC 2 Type II
In ProgressWe are actively working toward SOC 2 Type II certification. Our platform is architected with SOC 2 controls including access management, change tracking, and immutable audit trails.
GDPR
CompliantRegional data residency (IL/EU/US), lawful basis documentation, DSAR workflows, data retention policies, and sub-processor transparency.
Enterprise DPA
AvailableData Processing Agreements with Standard Contractual Clauses (SCCs) available for enterprise customers upon request.
Security Controls
Encryption
AES-256 encryption for all sensitive data at rest including credentials, API keys, and LLM provider tokens.
TLS encryption for all data in transit. SHA-256 hashing for API keys and gateway keys.
Access Control
Three-level role-based access control (RBAC): Platform, Organization, and Tenant.
Six granular tenant roles from Owner to Viewer. Enterprise SSO via SAML 2.0 and OIDC.
Audit Trail
Immutable, append-only audit log of all agent actions, policy decisions, and administrative changes.
365-day retention for security events. Full gateway request logging with actor context.
Kill-Switch
Emergency kill-switch to halt all gateway traffic for an organization instantly.
Three scopes: all traffic, LLM-only, or new keys only. Propagates within 5 seconds.
Data Loss Prevention
Configurable PII detection with 10 built-in patterns scanning all gateway LLM requests.
Secret redaction for credentials and sensitive data before reaching LLM providers.
API Key Security
Three-tier gateway key system: user, service, and temporary keys with scope enforcement.
IP allowlisting, per-key rate limiting, and automatic expiration for temporary keys.
Data Residency
During onboarding, each workspace selects a data residency region. This selection is permanent and determines where all tenant data (tasks, agent configurations, audit logs, and gateway records) is stored.
Israel (IL)
GCP me-west1
European Union (EU)
GCP europe-west1
United States (US)
GCP us-central1
Sub-Processors
| Provider | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform | Infrastructure, compute, storage | All platform data (in selected region) |
| LLM Providers (Anthropic, OpenAI, Google, etc.) | AI model inference via Agentic Gateway | Prompts and completions (routed to provider you select) |
| Stripe | Payment processing | Billing information (no card data stored by us) |
| Resend | Transactional email (invites, reminders, notices) | Recipient email address + email content |
| Twilio | SMS verification (ad-hoc) | Phone number + verification code |
| Cloudflare | DNS, TLS, CDN, failover | Network/request routing metadata (IP, host) |
| Google Cloud Memorystore (Valkey) | Caching and job queues (in selected region) | Session tokens, rate limit counters |
| Google OAuth / GitHub OAuth | Authentication | Email, name, profile image |
| Google Tag Manager | Website analytics | Anonymized page visit data |
We do not sell your personal data to any third party. We do not use your Customer Data to train AI models.
Data Retention
Audit trail & security events
Gateway request logs
Anomaly alerts
Post-deletion cleanup
Enterprise customers may negotiate custom retention periods as part of their Data Processing Agreement.
Security Contact
To report a security vulnerability or request compliance documentation, contact our security team.
[email protected]Built-In Platform Safeguards
Questions About Security?
Read our SOC 2 compliance guide or reach out to our security team.