Doris is designed to support customers’ regulatory obligations, with a focus on UK and EU GDPR-related requirements.
GDPR
- Roles: In most customer deployments, the customer acts as controller and Doris Labs acts as processor
- Instructions: Processing is carried out under customer instructions, product configuration, and the applicable agreement
- Data subject rights: Product features are intended to help customers respond to access, rectification, erasure, portability, and restriction requests
- No sale of customer data: Customer personal data is not sold for unrelated advertising or third-party monetization
- AI processing: AI-assisted processing is performed under commercial service terms rather than to train publicly available models
Data Processing Agreement
A Data Processing Agreement (DPA) is available for eligible customers and typically covers:
- Scope and categories of personal data processed
- Security measures (Schedule 4 of our MSA)
- Sub-processor obligations and notification procedures
- International data transfer safeguards
- Data subject rights cooperation
- Breach notification timelines
- Audit rights
Sub-Processors
We may engage third-party service providers to support delivery of the service:
| Sub-Processor | Service | Primary Location |
|---|
| Microsoft Azure | Cloud infrastructure, compute, and storage | UK South |
| Azure OpenAI | AI inference | UK South / US East |
| Auth0 | Authentication and identity management | UK / EEA |
| Stripe | Payment processing | US / Global |
| Datadog | Application monitoring and telemetry | EEA |
| Sentry | Error tracking | EEA |
| Integration | Service | Location |
|---|
| Google Calendar API | Calendar sync and meeting recording | Customer-configured |
| Microsoft Graph | Calendar and email integration | Customer-configured |
| HubSpot | CRM integration | Customer-configured |
| Salesforce | CRM integration | Customer-configured |
| Attio | CRM integration | Customer-configured |
| Gong | Conversation intelligence | Customer-configured |
Sub-processor notices and objection rights, where offered, are governed by the applicable customer agreement.
Security Reviews
- Available assurance materials and review rights, if any, are governed by contract
- Security reviews may be satisfied through documentation, questionnaires, or other reasonable verification methods
- Any additional review process is subject to scope, confidentiality, operational constraints, and legal requirements
Assurance Roadmap
Doris Labs continues to mature its control environment and may pursue independent attestations over time:
| Framework | Status |
|---|
| SOC 2-aligned controls | Internal program maturity in progress |
| ISO 27001-aligned controls | Internal program maturity in progress |
Secure Development Lifecycle
Our SDLC incorporates security at every stage:
- Source control: Code changes are tracked in version control with review workflows
- Static analysis: Security scanning and dependency checks are integrated into development workflows
- Secrets management: Sensitive values are managed through dedicated secret stores and runtime delivery
- Environment separation: Production and non-production environments use separate credentials and infrastructure boundaries
- CI/CD security: Deployment pipelines use short-lived or federated authentication where supported
