Doris is designed to support customers’ regulatory obligations, with a focus on UK and EU GDPR-related requirements.Documentation Index
Fetch the complete documentation index at: https://docs.meetdoris.com/llms.txt
Use this file to discover all available pages before exploring further.
GDPR
- Roles: In most customer deployments, the customer acts as controller and Doris Labs acts as processor
- Instructions: Processing is carried out under customer instructions, product configuration, and the applicable agreement
- Data subject rights: Product features are intended to help customers respond to access, rectification, erasure, portability, and restriction requests
- No sale of customer data: Customer personal data is not sold for unrelated advertising or third-party monetization
- AI processing: AI-assisted processing is performed under commercial service terms rather than to train publicly available models
Data Processing Agreement
A Data Processing Agreement (DPA) is available for eligible customers and typically covers:- Scope and categories of personal data processed
- Security measures (Schedule 4 of our MSA)
- Sub-processor obligations and notification procedures
- International data transfer safeguards
- Data subject rights cooperation
- Breach notification timelines
- Audit rights
Contact sales@meetdoris.com to request a copy of our DPA.
Sub-Processors
We may engage third-party service providers to support delivery of the service:| Sub-Processor | Service | Primary Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, compute, and storage | UK South |
| Azure OpenAI | AI inference (primary LLM, embeddings, image generation) | UK South / EU |
| Anthropic | Claude model inference for selected agent workflows | US (direct); UK/EU via Azure Foundry |
| OpenAI | GPT model inference where Azure coverage is unavailable | US |
| Attendee | Meeting bot, recording, and transcription | US |
| Auth0 | Authentication and identity management | UK / EEA |
| Stripe | Payment processing | US / Global |
| Resend | Transactional email delivery | US / EU |
| Datadog | Application monitoring and telemetry | EEA |
| Sentry | Error tracking | EEA |
| Mixpanel | Product analytics | EU |
| Integration | Service | Location |
|---|---|---|
| Google Calendar API | Calendar sync and meeting recording | Customer-configured |
| Microsoft Graph | Calendar and email integration | Customer-configured |
| HubSpot | CRM integration | Customer-configured |
| Salesforce | CRM integration | Customer-configured |
| Attio | CRM integration | Customer-configured |
| Zoom | Video conferencing and meeting recording | Customer-configured |
| Gong | Conversation intelligence | Customer-configured |
AI inference providers are operated under commercial terms with zero-retention and no-training configurations. International transfers use Standard Contractual Clauses or the UK International Data Transfer Agreement where applicable.
Sub-processor notices and objection rights, where offered, are governed by the applicable customer agreement.
Security Reviews
- Available assurance materials and review rights, if any, are governed by contract
- Security reviews may be satisfied through documentation, questionnaires, or other reasonable verification methods
- Any additional review process is subject to scope, confidentiality, operational constraints, and legal requirements
Assurance Roadmap
Doris Labs continues to mature its control environment and may pursue independent attestations over time:| Framework | Status |
|---|---|
| SOC 2-aligned controls | Internal program maturity in progress |
| ISO 27001-aligned controls | Internal program maturity in progress |
Secure Development Lifecycle
Our SDLC incorporates security at every stage:- Source control: Code changes are tracked in version control with review workflows
- Static analysis: Security scanning and dependency checks are integrated into development workflows
- Secrets management: Sensitive values are managed through dedicated secret stores and runtime delivery
- Environment separation: Production and non-production environments use separate credentials and infrastructure boundaries
- CI/CD security: Deployment pipelines use short-lived or federated authentication where supported