Trust Center

SOC 2 Type II CertifiedGDPR CompliantHIPAAISO

Overview

dave.io takes concrete, technical steps to keep your data, infrastructure, and access secure — details on each control are covered in the sections below.

Agentic Layer

  • Each agent executes within a fully isolated, secure sandbox environment. This isolation ensures that an agent can access only the data explicitly provisioned to it, such as cloned repositories, retrieved artifacts, and fetched files.
  • Credentials obtained through integrations are securely injected into the execution environment and are never directly exposed to the agent itself.
  • Agent capabilities are strictly constrained to approved CLI and MCP interfaces, enforced through an explicit allowlist.
  • Any operation that requires write or elevated permissions is governed by a just-in-time (JIT) access model. Elevated access is granted only for the specific operation, requires prior approval from our FDE, and is automatically revoked immediately after completion.

Context Lake

Your context lake resides securely within a physically isolated database instance. Access to its contents is strictly confined to your Dave agent, who has no means of sharing the data elsewhere. Additionally, a secure pipeline, dedicated solely to the context lake, handles all data ingestion and retrieval.

BYOC

Our standard deployment maintains robust security, with your data physically separated and isolated from other customers. For clients seeking maximum assurance, dave.io also supports Bring Your Own Cloud (BYOC). With this model, your sandbox environment and context lake storage reside entirely within your own cloud environment, ensuring your data and infrastructure remain under your complete control. This model provides the ultimate sovereign deployment for environments with strict compliance and trust requirements.

Compliance

dave.io is SOC 2 Type II, GDPR, HIPAA, and ISO compliant— reflecting independently audited controls around security, availability, processing integrity, confidentiality, and data privacy.

SOC 2 Type II Certified

Independently audited controls over security, availability, processing integrity, confidentiality, and privacy— verified over a sustained period, not a single point in time.

GDPR Compliant

Data handling, storage, and transfer practices align with EU data protection law: data minimization, access/erasure rights, and breach notification.

HIPAA Compliant

Administrative, physical, and technical safeguards aligned with HIPAA requirements for protected health information.

ISO

Information security management system aligned with ISO/IEC 27001: risk assessment, access control, and continuous improvement.

FAQ

Privacy Policy

dave.io collects the minimum personal information needed to run the website and deliver the service — who you are, how you use it, and what's needed to support you. This policy covers what's collected, how it's stored and shared, and how to request access, correction, or deletion. Contact privacy@dave.io with questions.

Privacy policy

Contact

Questions about our security practices or compliance posture? Contact us.