Security

How Dott Protects Your Documents

A clear explanation of how your documents are handled, stored, and protected across every tier of service.

Data Encryption

All documents are encrypted in transit using TLS 1.2+ for every connection between your browser and Dott's servers.
Documents submitted through the free analysis tier are processed in memory and are not stored after analysis is complete.
Pro workspace documents are stored in encrypted databases (Supabase with PostgreSQL encryption at rest using AES-256).
All API communications use HTTPS. Plaintext connections are rejected.

Documents are not stored. Text and PDF content is processed in memory and discarded after the analysis response is returned.
Analysis results (risk score, issues) are retained only if the user has an authenticated account and the result is saved to their dashboard.

Workspace data (documents, chat history, risk scores) is retained for the duration of the subscription.
Users can delete individual workspaces and all associated data at any time from the dashboard. Deletion is immediate and permanent.

Documents submitted for attorney review are retained for the duration of the review engagement and in accordance with professional responsibility requirements applicable to the reviewing attorney's jurisdiction.

All authenticated data is protected by user-level access controls. Users can only access their own documents, workspaces, and analysis results.
API access requires authenticated API keys issued per user or organization. Keys can be revoked at any time from the dashboard.
Attorney reviewers only access documents that have been explicitly assigned to them for review. They do not have access to other users' data.
Internal access to user data is restricted to a need-to-know basis and is logged for audit purposes.

Compute: Hosted on Vercel (SOC 2 Type II compliant). All serverless functions run in isolated execution environments.
Database: Supabase (SOC 2 Type II compliant), backed by PostgreSQL with encryption at rest and in transit.
AI processing: Anthropic's Claude API (SOC 2 Type II compliant). Document content is sent to Anthropic for analysis under Anthropic's enterprise data policies. Document data is not used to train AI models.
No third-party analytics, advertising trackers, or data brokers have access to your document content.

Attorney-validated reviews are conducted under attorney-client privilege. The attorney-client relationship is formed between you and the reviewing attorney, not between you and Dott.
Reviewing attorneys are licensed, bar-admitted professionals bound by their jurisdictional rules of professional conduct, including confidentiality obligations under their state's Rules of Professional Conduct.
Dott maintains professional liability insurance covering the attorney-validated review service.
AI-only analysis tiers (Free and Pro) do not create an attorney-client relationship. Dott is a technology platform, not a law firm.

Security questions or concerns: nnamdi@dott.legal
To report a vulnerability, please email nnamdi@dott.legal with a description of the issue. We take security reports seriously and will respond within 48 hours.