Security
Security is foundational to DeerDawn. We implement defense-in-depth strategies across infrastructure, application, and data layers to protect your AI session memory — the brief your tools read before every session.
Infrastructure Security
Encryption: All data is encrypted at rest using AES-256 and in transit using TLS 1.3+. We enforce HTTPS for all API and dashboard connections with automatic HTTP-to-HTTPS redirects.
Network Isolation: Our API runs in isolated network segments with strict firewall rules. Database connections are encrypted and restricted to authenticated application servers only.
Hosting: We use Fly.io for geographically distributed application hosting with automated failover and Neon for PostgreSQL with continuous backups and point-in-time recovery.
Application Security
Authentication: Multi-mode authentication supports API keys (SHA-256 hashed) for machine-to-machine access and OAuth 2.0 bearer tokens for user sessions. API keys support expiration enforcement and environment scoping (sandbox/production).
Authorization: Role-based access control (RBAC) with granular scopes including admin, operator, approver, and read-only roles. Organizations are strictly isolated with multi-tenancy enforced at the database and application layers.
Rate Limiting: Redis-backed rate limiting protects against abuse and DoS attacks. Rate limits are enforced per IP address and per API key with configurable thresholds.
Input Validation: All API requests are validated using Zod schemas with strict type checking. Request payloads are limited to 256KB to prevent memory exhaustion attacks.
Security Headers: We enforce Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and other security headers via Helmet middleware.
Session Memory Data
DeerDawn session memory stores structured extractions from your AI conversations — not transcripts. Here is exactly what is and is not stored.
What DeerDawn stores
Stored: Current task, project status, goals, open questions, recent decisions, tech stack notes, file paths, and source/provenance metadata for extracted context.
Not stored: Full conversation transcripts, secrets, passwords, API keys, or payment data. The extraction pipeline only writes structured fields — raw message content is discarded after extraction.
Encryption: All context data is encrypted at rest using AES-256 and in transit using TLS 1.3+. We enforce HTTPS across the API and dashboard.
Auto-cleanup: Completed goals, resolved questions, and replaced tasks are automatically removed from the context graph when DeerDawn detects completion language in an update_context call. Stale nodes do not accumulate.
User Data Controls
Every user has direct controls over their context data from the Security tab in the dashboard.
Access log: Every read, write, export, or deletion of your context data generates an audit entry visible in the dashboard. Actor type (user, MCP tool, system) and timestamp are always recorded.
Field exclusions: Mark specific context fields as excluded in your preferences. Excluded fields are never written to the database, even if detected during extraction.
TTL / auto-expiry: Set a TTL (e.g. 30 days). Projects that have not been updated within that window are automatically and permanently purged.
Data export: Download everything DeerDawn has stored — projects, graph nodes, and your full audit log — as a structured JSON file at any time.
Verified deletion: Delete all your data immediately from the Security dashboard. The deletion is permanent and returns a signed HMAC confirmation token as cryptographic proof it happened.
Data Protection
PII Redaction: DeerDawn is designed to store structured project context rather than raw transcripts. Users should avoid placing secrets or unnecessary personal data into project context, and can delete or export workspace data from the dashboard.
Data Retention: Free workspaces keep short history; paid workspaces keep longer history according to the active plan. Customers can request early deletion or remove workspace data from the dashboard.
Audit Logging: Sensitive administrative actions such as API key creation, user management, export, and deletion are logged with actor and timestamp for security review.
Data Isolation: Each organization's data is logically isolated in the database. Cross-tenant data leakage is prevented by parameterized queries that enforce org_id filtering.
Resilience and Availability
Circuit Breakers: Database calls are wrapped in circuit breakers so transient infrastructure problems fail predictably instead of cascading through the app.
Caching: Selected context and setup status data may be cached briefly to reduce database load and improve latency. Cache invalidation occurs on writes.
Emergency Lockdown: Workspaces can be locked in emergency scenarios to prevent further API access while preserving data for investigation.
Monitoring and Incident Response
Real-time Monitoring: We monitor API health, briefing failures, checkout events, setup status, and service latency.
Status Transparency: Our status page at deerdawn.com/status provides real-time uptime metrics and incident history.
Incident Response: We maintain an incident response plan with defined escalation procedures. Security incidents are reported to affected customers within 72 hours as required by GDPR.
Vulnerability Management: Dependencies are scanned in CI/CD pipelines, and high-severity findings block releases until patched.
Compliance and Certifications
SOC 2 Type II: We are actively pursuing SOC 2 Type II certification, and our current security controls are designed to meet SOC 2 requirements. We’ll publish the certification status here as it’s finalized.
GDPR and CCPA: We provide Data Processing Addendum (DPA) for GDPR compliance and support data subject rights (access, rectification, erasure, portability). See our DPA and Privacy Policy for details.
Data Location: All data processing occurs within the United States. International transfers use Standard Contractual Clauses (SCCs) approved by the European Commission.
Responsible Disclosure
If you discover a security vulnerability in DeerDawn, please report it to security@deerdawn.com. We commit to responding within 48 hours and will work with you to understand and address the issue promptly. We do not currently offer a bug bounty program but deeply appreciate responsible disclosure.
Last updated: May 2026
For security inquiries: security@deerdawn.com