Security review should not require a second sales call.

Policies, certifications, subprocessors, and review contacts in one place.

Compliance and assurance

Certifications and review artifacts.

Core certifications stay visible. Supporting documents stay one click away.

SOC 2 Type II Certified

Certification

SOC 2 Type II Certified

Independent review of security, availability, and confidentiality controls operating over time, not just at a point in time.
GDPR Compliant

Certification

GDPR Compliant

Data handling and customer rights are governed to align with EU privacy requirements, including contractual support during review.
ISO 27001 Certified

Certification

ISO 27001 Certified

Information security management controls are formalized, documented, and maintained as part of the operating system around the product.

Assurance pack

Supporting artifacts live in MyCroft.

SOC 2 report, insurance details, and zero-data-retention documentation are available there for reviewers who need the full set.

Controls and safeguards

Controls reviewers usually ask about.

Encryption, access, monitoring, incident handling, resilience, and auditability.

Incident response alerts

Monitoring signals are reviewed regularly, and critical alerts are handled through the incident response workflow.

Incident response plan

Duvo follows a documented incident response plan aligned with NIST computer security incident response guidance.

Encryption controls

Encryption at rest and in transit is enforced across the service and its supporting platform architecture.

Encryption management

Encryption keys are managed through managed services rather than ad hoc operator processes.

Endpoint encryption

Company endpoints are required to maintain encryption as part of the baseline security posture.

Platform availability monitoring

Availability monitoring is in place to maintain service continuity against service-level expectations.

Platform availability alerts

Availability alerts are reviewed and addressed according to engineering operating procedures.

Platform availability architecture

The service is deployed on redundant cloud architecture designed to reduce single points of failure.

Role-based access

Access controls include role-based permissions, network protections, and other controls to limit unauthorized access.

Access review

Access to critical systems and delivery resources is reviewed for appropriateness on a recurring schedule.

Application authentication

All user entities authenticate through unique credentials before they can access the service.

Multi-factor authentication

Critical systems and resources require MFA as part of the internal access-control baseline.

Architecture diagram

Service architecture and data-flow diagrams are maintained and can be shared with customer reviewers.

Vulnerability management

Platform and external systems are scanned for vulnerabilities, with findings handled through a defined remediation policy.

Subprocessors

Subprocessors are named and scoped.

Every third-party service Duvo uses is listed with its role below.

Google Cloud Platform

Platform / foundational AI

Google Cloud Platform

Platform and infrastructure hosting services, including compute, storage, and AI capabilities.
GitHub

Development and version control

GitHub

Code hosting, versioning, and collaboration workflows used to build and maintain the product.
Vercel

Frontend cloud platform

Vercel

Cloud platform used to build, preview, and deploy dynamic web applications.
Anthropic

Foundational AI

Anthropic

Large language model provider used for AI-driven product capabilities under controlled operating modes.
E2B

Sandboxed execution

E2B

Secure isolated cloud containers used for sandboxed execution and controlled runtime environments.
Slack

Communication and collaboration

Slack

Used as a secure internal and customer-support coordination channel for selected support workflows.

Resources

Start with what you can read now.

Public documents are linked here. Others can be requested through MyCroft.

Public

Privacy policy

How Duvo collects, uses, protects, and governs customer information and privacy rights.
Read privacy policy

Public

Terms of Use

The agreement governing use of the Duvo platform, including responsibilities, limitations, and service terms.
Read terms of use

Public

Cookie Policy

How Duvo uses cookies and similar technologies across its websites and services.
Read cookie policy

MyCroft

Review documents in MyCroft

SOC 2 report, ISO 27001 certificate, insurance details, and other review artifacts available on request.
Open MyCroft

Frequently asked questions

Direct answers for the first review.

Common questions from security reviews.

What happens to our sensitive data?

Duvo does not train its own or third-party models on customer data. Where supported, model traffic runs in zero-data-retention mode so prompts and outputs are not stored for model training.

Can we bring our own AI endpoint?

Yes. Duvo supports customer-managed and dedicated AI endpoints, including single-tenant deployments where teams need tighter control.

Can you get EU or US data residency?

Yes. Hosting, model routing, and browser sandboxes can be constrained to EU-only or US-only infrastructure based on regulatory and internal requirements.

How do you ensure confidential data is not exposed within one team?

Access follows the scope of the user or role that starts the task. Tenant isolation is enforced across the application and data layers, and sensitive actions can require human approval.

How is data cached, logged, and versioned during agent execution?

Duvo minimizes retained data and stores what is needed for auditability and troubleshooting. Logs focus on actions and outcomes, data at rest is encrypted, traffic in transit uses TLS, and run history is tracked with audit trails.

All review documents in one place.

Request security, compliance, or procurement documents directly through MyCroft.

Open Duvo in MyCroft