Your data is the foundation of everything we do. Here's how we take care of it.
We're an early-stage company, and we want to be upfront about that. We don't have SOC 2 or formal certifications yet — no shiny badges to show off. But we've built security into our foundation from day one, following the same best practices those frameworks require. As we scale, formal certification is on the roadmap. In the meantime, we're happy to walk you through our practices in detail — bring your toughest questions.
DuitLabs runs on enterprise-grade cloud infrastructure hosted in the United States. We've architected for reliability from the start — automated failover, redundant storage, daily encrypted backups with point-in-time recovery, and isolated environments so your data never co-mingles with another customer's.
Everything is encrypted, both moving and sitting still. Your browser talks to our APIs over TLS 1.3. Stored data — databases, files, backups — is encrypted with AES-256. Encryption keys live in a dedicated key management system and rotate automatically. This isn't optional or configurable — it's just how the platform works. Think of it as a seatbelt that's always buckled.
We follow the principle of least privilege: people only have access to what they need to do their job. Every employee uses multi-factor authentication. All administrative actions are logged. On your side, we support role-based permissions so you can control who on your team sees what. For enterprise customers, we offer SSO integration (SAML 2.0, OIDC).
Security is part of our development process, not an afterthought. Every code change goes through peer review. We run automated vulnerability scanning in our CI/CD pipeline, monitor dependencies for known vulnerabilities, and test for common attack vectors. We also plan to run regular third-party penetration tests as we grow.
Our AI models process sensitive retail and supply chain data, so we're strict about boundaries. Your data is yours — it's never used to train models for other customers, and it's never shared across accounts. When we improve our models, we only use aggregated, de-identified data. All model requests are authenticated and rate-limited, with built-in validation checks on every output.
We monitor the platform continuously and have real-time alerts for anything unusual. We keep centralized logs and have a documented incident response plan with clear severity levels and escalation steps. If there's ever a material breach affecting your data, we'll notify you within 72 hours and conduct a thorough post-incident review. We believe transparency builds trust — especially when things don't go perfectly.
We're selective about who we work with. Every third-party vendor that touches customer data goes through a security review. They're bound by confidentiality obligations and we revisit those relationships periodically. We're happy to share our current list of subprocessors on request.
We're a small team, which means everyone takes security personally — there's no "that's someone else's department" energy here. All employees with data access go through background checks and security training. Company devices have endpoint protection. When someone leaves, access is revoked immediately — no loose ends, no "we'll get to it Monday."
If you discover a security vulnerability, we genuinely want to hear about it. Report it to [email protected] and we'll acknowledge it within 48 hours, provide a resolution timeline within 5 business days, and — importantly — we won't take legal action against good-faith researchers. We'd rather fix the problem than shoot the messenger.
Security conversations are better in person (or on a call). If you're evaluating DuitLabs and want to dig deeper into any of this, reach out:
DuitLabs Security
Email: [email protected]