Dobby AI is built for enterprise trust. This page describes our security posture, compliance status, data protection controls, and sub-processors.
We are actively working toward SOC 2 Type II certification. Our platform is architected with SOC 2 controls including access management, change tracking, and immutable audit trails.
Regional data residency (IL/EU/US), lawful basis documentation, DSAR workflows, data retention policies, and sub-processor transparency.
Data Processing Agreements with Standard Contractual Clauses (SCCs) available for enterprise customers upon request.
AES-256 encryption for all sensitive data at rest including credentials, API keys, and LLM provider tokens.
TLS encryption for all data in transit. SHA-256 hashing for API keys and gateway keys.
Three-level role-based access control (RBAC): Platform, Organization, and Tenant.
Six granular tenant roles from Owner to Viewer. Enterprise SSO via SAML 2.0 and OIDC.
Immutable, append-only audit log of all agent actions, policy decisions, and administrative changes.
365-day retention for security events. Full gateway request logging with actor context.
Emergency kill-switch to halt all gateway traffic for an organization instantly.
Three scopes: all traffic, LLM-only, or new keys only. Propagates within 5 seconds.
Configurable PII detection with 9 built-in patterns scanning all gateway LLM requests.
Secret redaction for credentials and sensitive data before reaching LLM providers.
Three-tier gateway key system: user, service, and temporary keys with scope enforcement.
IP allowlisting, per-key rate limiting, and automatic expiration for temporary keys.
During onboarding, each workspace selects a data residency region. This selection is permanent and determines where all tenant data (tasks, agent configurations, audit logs, and gateway records) is stored.
Israel (IL)
GCP me-west1
European Union (EU)
GCP europe-west1
United States (US)
GCP us-central1
| Provider | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform | Infrastructure, compute, storage | All platform data (in selected region) |
| LLM Providers (Anthropic, OpenAI, Google, etc.) | AI model inference via Agentic Gateway | Prompts and completions (routed to provider you select) |
| Stripe | Payment processing | Billing information (no card data stored by us) |
| Upstash | Redis caching and job queues | Session tokens, rate limit counters |
| Google OAuth / GitHub OAuth | Authentication | Email, name, profile image |
| Google Tag Manager | Website analytics | Anonymized page visit data |
We do not sell your personal data to any third party. We do not use your Customer Data to train AI models.
Audit trail & security events
Gateway request logs
Anomaly alerts
Post-deletion cleanup
Enterprise customers may negotiate custom retention periods as part of their Data Processing Agreement.
To report a security vulnerability or request compliance documentation, contact our security team.
security@dobby-ai.com