We handle sensitive financial data for hundreds of small businesses. Here's exactly how we protect it.
🔒
SOC 2 Type I
In Progress
✓
CCPA Compliant
Active
⚖️
FDCPA Aware
By Design
🇪🇺
GDPR Ready
In Progress
🏗️
Hosting and delivery
DuePilot runs on Cloudflare Workers (edge compute) and Supabase (Postgres database with Row Level Security). We do not operate our own servers. Both providers maintain SOC 2 Type II certifications.
Encryption
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256. OAuth tokens (QuickBooks, Gmail, Outlook) are stored encrypted via Supabase Vault and never accessible in plaintext.
Network
All traffic is routed through Cloudflare's global network with DDoS protection, WAF rules, and bot detection enabled. Database access is restricted to application infrastructure with no public-facing connection strings.
✅
SOC 2 Type I (in progress)
We are actively pursuing SOC 2 Type I certification. Our controls have been designed from day one to meet SOC 2 requirements. Expected completion: Q3 2026.
CCPA
We are fully compliant with the California Consumer Privacy Act. Users can request data access, export, or deletion at any time via the account settings or by emailing privacy@duepilot.ai.
FDCPA-aware design
DuePilot's collection sequences are designed with FDCPA constraints in mind. Sequences auto-pause on dispute signals, respect time-of-day sending windows, and never use language that constitutes harassment under federal law.
GDPR
We are GDPR-ready for EU customers. A Data Processing Agreement (DPA) is available at /dpa. We do not transfer EU personal data outside the EU without appropriate safeguards.
🔐
What we store
We store the minimum data required to operate the service: invoice records, customer contact information, payment history, and email event logs. We do not store payment card numbers — we only generate Stripe payment links.
QuickBooks data
We pull open invoices, customer records, and payment history from QuickBooks via read-only OAuth. We do not write to your QuickBooks account. QBO data is synced every 15 minutes and stored in your isolated workspace.
AI processing
Invoice and customer data is sent to Anthropic Claude and/or OpenAI for email drafting and reply classification. We use the APIs' zero-retention options where available and have Data Processing Agreements in place with both providers.
Data retention
Active accounts: data retained for the duration of the subscription. Canceled accounts: data retained for 90 days after cancellation, then permanently deleted. You can request immediate deletion at any time.
🛡️
Row Level Security
Every database table uses Postgres Row Level Security (RLS) policies enforced at the database layer. Your data is logically isolated from all other customers. No application-layer bug can expose cross-customer data.
Employee access
No DuePilot employee accesses customer data without an explicit support request. All production access is logged and reviewed. We use short-lived credentials that expire automatically.
API security
API keys are hashed before storage. Rate limiting is enforced on all endpoints. Authentication endpoints have stricter limits (10 requests/minute). Failed auth attempts trigger account lockout after 10 failures.
Found a vulnerability?
We take security reports seriously. Email us at security@duepilot.ai with details of the vulnerability. We'll respond within 24 hours and work with you on responsible disclosure. We do not currently operate a bug bounty program, but we recognize all valid reports.