Security

Dodil is built so your data plane runs in the region you choose. Your storage, indexes, and compute stay in-region, while the control plane remains small and stateless.

We do not access Customer Data except as necessary to provide, secure, or maintain the Services, on your instructions, or as required by law — as set out in the DPA.

Data is encrypted in transit using TLS 1.2+ across all public endpoints, and at rest using industry-standard algorithms (AES-256). Secrets and keys are managed through a dedicated secrets management system with restricted access.

Tenant isolation runs end-to-end across storage, search, processing, and credentials. Every request is scoped to an organization resolved from an IAM-issued identity, so two organizations on the same control plane never see each other’s data. Per-tenant credentials are provisioned and rotated through Dodil IAM.

The platform runs on Dodil’s own hardware in access-controlled colocation facilities (currently Iron Mountain, London), with network segmentation, private service-to-service communication, and least-privilege defaults. The colocation provider supplies physical space and security only and has no logical access to your data.

• Internal admin APIs require mutual TLS and are not exposed publicly.
• Continuous monitoring and centralized logging across services.
• Automated deployment pipelines with reviewed, auditable changes.

Access to production systems is restricted to authorized personnel on a least-privilege, need-to-know basis, protected by strong authentication (SSO + MFA). Administrative access is logged and reviewed. Your own access is governed by Dodil IAM with org-scoped roles and S3-style policy semantics on buckets.

Customer Data is stored on redundant storage designed for durability, with documented recovery procedures; automated backups are being rolled out. Note that during Early Access the Services are provided without a formal service-level agreement (see Terms of Service).

We align our program with recognized standards and regulations:

• SOC 2 — in progress.
• ISO/IEC 27001 — in progress.
• EU GDPR & UK GDPR — data-residency and processor obligations honored; see the DPA.
• Singapore PDPA — handled in line with the PDPA.

International transfers out of the UK/EEA rely on adequacy decisions or Standard Contractual Clauses with the UK Addendum.

We use a limited set of vetted subprocessors to operate the Services (for hosting, payments, and communications). Our current list is maintained on our subprocessors page, and the DPA governs how they are engaged.

We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email legal@dodil.io with details and steps to reproduce. Please give us a reasonable time to investigate and remediate before public disclosure, and do not access or modify data that is not yours.

We will acknowledge valid reports and keep you informed of remediation progress.

We maintain incident-response procedures to detect, investigate, and contain security events. Where a personal-data breach affects you, we will notify you in accordance with the DPA and applicable law.

For security questions, contact legal@dodil.io. For privacy matters, see our Privacy Policy. Postal: Circle Technologies Pte. Ltd., 68 Circular Road, #02-01, Singapore 049422.