Security

1. Security Commitment

At DOER, security is a top priority. We implement industry-standard security measures to protect your data, ensure service availability, and maintain the integrity of our platform. This document outlines our security practices, infrastructure, and how we protect your information.

If you discover a security vulnerability, please report it to us immediately at help@usedoer.com. We take security issues seriously and will respond promptly.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher. This ensures that:

• All communications are protected from interception
• Data integrity is maintained during transmission
• Your connection to our Service is authenticated

We use strong cipher suites and regularly update our TLS configuration to maintain the highest security standards.

2.2 Encryption at Rest

All data stored in our database is encrypted at rest using industry-standard encryption algorithms. This includes:

• User account information and credentials
• Plans, tasks, and goal data
• Integration tokens and API keys (encrypted before storage)
• Analytics and usage data

Database encryption keys are managed securely and rotated regularly according to best practices.

2.3 Password Security

Passwords are never stored in plain text. We use secure hashing algorithms (bcrypt) with salt to protect your password. This means:

• Your password is hashed using a one-way cryptographic function
• Each password is salted with a unique random value
• Even if our database is compromised, your password cannot be recovered
• We never have access to your actual password

3. Infrastructure Security

3.1 Hosting and Cloud Infrastructure

DOER is hosted on Vercel and uses Supabase for database and authentication services. Both platforms maintain:

• SOC 2 Type II compliance
• ISO 27001 certification
• Regular security audits and penetration testing
• Redundant infrastructure for high availability
• Automated backups and disaster recovery procedures

3.2 Network Security

Our infrastructure is protected by:

• Firewalls and network segmentation
• DDoS protection and rate limiting
• Intrusion detection and prevention systems
• Regular security monitoring and logging
• Automated threat detection and response

3.3 Database Security

Our database (PostgreSQL via Supabase) is secured through:

• Encrypted connections for all database access
• Row-level security (RLS) policies to restrict data access
• Regular automated backups with point-in-time recovery
• Access controls and audit logging
• Database activity monitoring

4. Access Controls

4.1 User Authentication

We implement strong authentication mechanisms:

• Secure password requirements (minimum length, complexity)
• Session management with secure tokens
• Automatic session expiration and timeout
• Protection against brute-force attacks
• Email verification for account creation

4.2 Administrative Access

Access to our internal systems and databases is restricted to authorized personnel only and follows the principle of least privilege:

• Multi-factor authentication (MFA) required for all admin accounts
• Role-based access controls
• All access is logged and audited
• Regular access reviews and credential rotation
• Secure VPN and encrypted connections for remote access

4.3 API Security

Our API endpoints are protected by:

• Authentication tokens for all API requests
• Rate limiting to prevent abuse
• Input validation and sanitization
• Protection against common vulnerabilities (SQL injection, XSS, CSRF)
• API key management for third-party integrations

5. Compliance and Certifications

While DOER is a growing platform, we are committed to maintaining security standards aligned with industry best practices:

• GDPR Compliance: We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area
• CCPA Compliance: We comply with the California Consumer Privacy Act (CCPA) for California residents
• Data Processing Agreements: We maintain data processing agreements with all third-party service providers
• Security Standards: Our infrastructure providers (Vercel, Supabase) maintain SOC 2, ISO 27001, and other certifications

We regularly review and update our security practices to align with evolving regulations and industry standards.

6. Incident Response

We have established procedures for responding to security incidents:

6.1 Detection and Response

• 24/7 monitoring of our systems for security threats
• Automated alerts for suspicious activities
• Incident response team ready to address security issues
• Rapid containment and mitigation procedures

6.2 Notification

In the event of a security breach that affects your personal data, we will:

• Notify affected users within 72 hours, as required by law
• Provide clear information about what happened and what data was affected
• Explain the steps we are taking to address the issue
• Provide guidance on steps you can take to protect yourself
• Report to relevant data protection authorities when required

7. Security Best Practices for Users

While we implement strong security measures, you also play an important role in protecting your account:

• Use a Strong Password: Choose a unique, complex password that you don't use elsewhere
• Enable Email Verification: Keep your email address verified and up to date
• Log Out on Shared Devices: Always log out when using the Service on shared or public computers
• Be Cautious with Links: Only access DOER through our official domain (usedoer.com)
• Report Suspicious Activity: If you notice any suspicious activity on your account, contact us immediately
• Keep Your Email Secure: Your email account is used for password resets and security notifications
• Review Integration Permissions: Regularly review and revoke access for integrations you no longer use

8. Third-Party Service Security

We use trusted third-party services that maintain high security standards:

8.1 Infrastructure Providers

• Vercel: Hosting and CDN with SOC 2 Type II compliance
• Supabase: Database and authentication with ISO 27001, SOC 2, and HIPAA compliance

8.2 Service Providers

• Stripe: Payment processing with PCI-DSS Level 1 compliance
• OpenAI: AI services with enterprise-grade security and data processing agreements
• Google Calendar API: Calendar integration with OAuth 2.0 security

All third-party integrations use secure authentication methods (OAuth 2.0, API keys) and encrypted connections.

9. Security Updates and Maintenance

We regularly update our systems to address security vulnerabilities:

• Regular security patches and updates
• Dependency updates to address known vulnerabilities
• Security code reviews for new features
• Penetration testing and vulnerability assessments
• Security training for our development team

We monitor security advisories and apply patches promptly to protect against known threats.

10. Reporting Security Issues

If you discover a security vulnerability in our Service, please report it to us responsibly:

• Email us at help@usedoer.com with details of the vulnerability
• Provide enough information for us to reproduce and verify the issue
• Allow us reasonable time to address the vulnerability before public disclosure
• Do not access or modify data that does not belong to you
• Do not perform any actions that could harm our Service or other users

We appreciate responsible disclosure and will work with security researchers to address vulnerabilities promptly. We will acknowledge receipt of your report and keep you informed of our progress.

11. Contact Us

If you have questions about our security practices or need to report a security issue, please contact us: