Security & privacy at Dott

Encryption

• TLS 1.2+ protects all data in transit between your browser and Dott's servers.
• Data at rest is encrypted via Supabase managed encryption.
• Files are stored in private storage buckets with row-level security policies enforced at the database level — only the authenticated owner can access their files.

Access controls

• Only the authenticated user can access their documents and analyses. Storage RLS policies enforce this at the database level.
• Signed URLs with short expiry are used for any file download — a link that works today does not work tomorrow.
• No Dott employee browses user documents in the normal course of business.
• Admin access is scoped to licensed attorneys and Dott staff, and is logged.

What we share, and what we don't

• Dott does not share user data with employers, recruiters, advertisers, or third parties for marketing purposes.
• AI analysis runs against the Anthropic API under standard data processing terms — content is processed for the user's analysis and is not used for model training.
• Attorney connections through the Dott network are handled under privilege. Your information is shared with the attorney only with your explicit consent.
• We never contact your employer about your use of Dott.

Retention and deletion

• Users can delete documents and analyses at any time from their dashboard. Deletion is permanent.
• Account deletion removes all associated data from our systems.
• Automatic retention windows can be set per user preference.

Subprocessors

The following third-party services process data on behalf of Dott users:

• Vercel — application hosting and edge delivery
• Supabase — database, authentication, and file storage
• Anthropic — AI document analysis (Claude API)
• Stripe — payment processing
• Resend — transactional email

Contact

• Questions about security or privacy? Email security@dott.legal