Legal
Security policy
Effective Date: 2025-07-01
Last Updated: 2025-08-27
Dimedove Technologies Inc.
4 Pl. Ville-Marie #300
Montréal, QC H3B 2E7, Canada
Email: security@dimedove.com
4 Pl. Ville-Marie #300
Montréal, QC H3B 2E7
Canada General Support: support@dimedove.com
Legal Inquiries: legal@dimedove.com Security Inquiries: security@dimedove.com
Dimedove is committed to maintaining the highest standards of security and privacy protection for our customers’ data and AI agent interactions. This Security Policy reflects our ongoing commitment to transparency and continuous improvement in our security practices.
Last Updated: 2025-08-27
Overview
At Dimedove, we take the protection of customer data extremely seriously. This Security Policy describes the organizational and technical measures Dimedove implements platform-wide designed to prevent unauthorized access, use, alteration, or disclosure of customer data and AI agent interactions. Our AI agent building platform operates on Amazon Web Services (“AWS”), and this policy describes security activities within our AWS infrastructure unless otherwise specified. As you continue to learn more about Dimedove, we recommend you also review our Terms of Service, Privacy Policy, and Cookie Policy. Company Information:Dimedove Technologies Inc.
4 Pl. Ville-Marie #300
Montréal, QC H3B 2E7, Canada
Security Team and Philosophy
Our infrastructure and security team includes experienced professionals who have designed, built, and operated secure internet-facing systems across various industries, from startups to enterprise organizations. We implement security-by-design principles throughout our AI agent platform development and operations. Security Principles:- Zero-Trust Architecture: No implicit trust within our network infrastructure
- Defense in Depth: Multiple layers of security controls and monitoring
- Continuous Monitoring: Real-time security event detection and response
- Privacy by Design: Security and privacy considerations integrated from the ground up
- Compliance Focus: Adherence to Canadian privacy laws (including Quebec’s Bill 25), PIPEDA, and industry standards
Security Best Practices
Incident Response Plan
Formal Security Procedures:- Comprehensive incident response procedures for security events
- Regular staff security awareness training
- Immediate escalation of incidents to the emergency response team
- Rapid assembly of response teams to address any security events
- Thorough post-mortem analyses conducted after resolution
- Findings documented and distributed to relevant stakeholders
- Action items implemented to improve detection and prevention capabilities
- Lessons learned incorporated into security training and procedures
- Prompt written notification to customers upon verification of any security breach affecting customer data
- Notification includes nature of breach, affected data, and status of investigation
- Guidance provided on any actions customers should take to protect their interests
- In accordance with Quebec’s Bill 25, all confidentiality incidents (breaches or security events involving personal information) are logged and maintained in an internal register
- Records are available to regulators or other authorized parties upon request
Build Process and Deployment Security
Automated Deployment Pipeline:- Secure, automated deployment processes for reliable code deployment
- Deployment automation includes security scanning and validation checks
- Regular code updates with rapid deployment of security fixes when required
- All deployments logged, monitored, and reversible if security issues are detected
- All code changes undergo security review and automated testing
- Static code analysis tools identify potential vulnerabilities
- Dependencies and libraries updated regularly and scanned for known vulnerabilities
- Security testing integrated into continuous integration and deployment pipeline
Infrastructure Security
Cloud Infrastructure
AWS Foundation:- All Dimedove services run in Amazon Web Services (AWS) cloud infrastructure
- No physical servers, routers, load balancers, or DNS servers are maintained by Dimedove
- Infrastructure leverages AWS security controls and compliance certifications
- AWS security details: AWS Security
- Services designed with disaster recovery and business continuity in mind
- Infrastructure distributed across multiple AWS availability zones
- Automated backup and recovery procedures ensure data protection and continuity
- Regular disaster recovery testing validates recovery capabilities
- All servers operate within isolated Virtual Private Clouds (VPCs)
- Network Access Control Lists (ACLs) prevent unauthorized access
- Security groups provide additional firewall protection
- All network traffic monitored and logged for analysis
Data Storage and Protection
Data Hosting Locations:- Dimedove services and data hosted in AWS regions: US East (us-east-1) and Canada Central (ca-central-1)
- Data residency preferences can be accommodated based on customer requirements
- Compliance with Canadian data localization requirements where applicable
- Customer data stored in secure, multi-tenant datastores with strict logical separation
- Application-level privacy controls prevent cross-customer access
- Comprehensive unit and integration tests validate privacy controls continuously
- Test failures prevent deployment to production environments
- All systems hardened using industry standards
- Regular patching and updates applied
- Minimal necessary privileges enforced
- Unused services and ports disabled to reduce attack surface
Data Security and Encryption
Data in Transit
Encryption Standards:- TLS 1.3 with 256-bit encryption for all transmitted data
- API and application endpoints are TLS/SSL only
- HTTP Strict Transport Security (HSTS) and Perfect Forward Secrecy implemented
- Regular SSL/TLS testing ensures optimal security ratings
Data at Rest
Storage Encryption:- All customer data encrypted at rest using AES-256
- Encryption keys managed via AWS Key Management Service (KMS)
- Database encryption includes both data files and backups
- AI agent conversation data receives additional encryption protections
- Automated backup systems with encryption
- Backups stored across multiple geographic locations
- Regular restoration testing validates recovery
- Strictly controlled and monitored backup access
Authentication and Access Controls
Platform Authentication
Secure Access:- Platform served 100% over HTTPS
- Zero-trust network architecture principles applied
- Multi-factor authentication (MFA) available and encouraged
- Strong password policies enforced
- Integration with Kinde for robust IAM
- Single Sign-On (SSO) support
- OAuth integration with trusted providers (e.g., Google)
- Automatic session timeout and secure invalidation
Administrative Controls
Employee Access:- Employee access to production requires MFA
- Principle of least privilege enforced
- Regular access reviews conducted
- Administrative actions logged and monitored
- Granular permission levels available for team members
- Role-based access controls include AI agent, billing, and administrative functions
- Customer administrators manage user access independently
- Permission changes logged and auditable
Monitoring and Auditing
Application Monitoring
Comprehensive Logging:- Real-time logging of platform activity
- Audit logs capture user actions, system events, and security activities
- Centralized log data with retention policies
- SIEM tools analyze logs for threats
- All application and infrastructure access logged
- Bastion hosts provide secure, monitored production access
- Restricted and audited administrative console access
- Anomalous access patterns trigger alerts
Security Analytics
Threat Detection:- Automated monitoring systems detect suspicious activity
- ML algorithms flag anomalous behaviors
- Real-time alerts enable rapid response
- Threat intelligence feeds enhance detection
Third-Party Integrations and Subprocessors
AI Service Providers
AI Model Partners:- OpenAI — Natural language processing and AI services
- Google — Cloud, authentication, AI capabilities
- Anthropic — Advanced AI services
- Groq — High-performance AI inference
- Meta — AI research and model services
- All AI service providers undergo Privacy Impact Assessments (PIAs) to evaluate risks and safeguards
- Data sharing agreements include security and privacy protections
- Provider certifications and reports reviewed as part of our due diligence
Subprocessors List
Dimedove engages subprocessors to deliver services effectively. Our current subprocessors include infrastructure, payment, authentication, and AI providers.- List: Dimedove Subprocessors
- Further details available upon request
Security Audits and Compliance
Current Security Practices
Ongoing Security Assessments:- Regular internal security assessments and penetration testing
- Vulnerability scanning and management programs
- Third-party reviews and audits as we scale
- Continuous security monitoring and threat assessment
- Compliance with Canadian privacy laws including Bill 25 and PIPEDA
- Implementation of security frameworks and best practices
- Regular review and updates to policies and procedures
- Documentation and evidence collected for compliance initiatives
Future Compliance Goals
Planned Certifications:- SOC 2 Type II audit preparation and certification
- ISO/IEC 27001 evaluation for broader compliance
- Continuous improvement of compliance readiness
- Payment processing handled by Stripe, PCI DSS compliant
- Dimedove does not process, store, or transmit card data
- Stripe security practices: Stripe Security
Customer Security Responsibilities
Account Management
Customer Obligations:- Manage accounts, roles, and permissions
- Implement strong password policies and enable MFA
- Promptly remove access for users no longer requiring it
- Regularly review permissions and access levels
Security Best Practices
Recommended Actions:- Enable MFA for all team members
- Secure development practices when using Dimedove APIs
- Security awareness training for team members
- Maintain secure configurations for deployed AI agents
Incident Reporting
Customer Responsibilities:- Promptly notify Dimedove if credentials are compromised
- Report suspected security incidents immediately
- Cooperate with Dimedove investigations
- Maintain incident response procedures for AI agent security events
Security Testing
Important Restrictions:- Customers may not perform penetration tests without written consent
- Authorized testing must be coordinated with our security team
- Vulnerabilities must be reported via responsible disclosure
Data Processing and AI Security
AI Agent Security
Conversation Protection:- All AI agent conversations encrypted in transit and at rest
- Access strictly controlled and logged
- AI agent responses monitored for potential risks
- Customer-deployed AI agents inherit platform protections
- Encrypted API access for AI models
- Training data and parameters protected with access controls
- Customer data not used to train AI models
- Safeguards in place against adversarial prompts and injection attacks
Data Privacy Protection
Privacy by Design:- Minimized collection and retention of personal data
- Pseudonymization and anonymization applied where possible
- Access restricted to authorized personnel only
- Regular Privacy Impact Assessments ensure compliance
Contact Information and Security Support
Security Communications
General Security Inquiries:Email: security@dimedove.com
Business Contact
Dimedove Technologies Inc.4 Pl. Ville-Marie #300
Montréal, QC H3B 2E7
Canada General Support: support@dimedove.com
Legal Inquiries: legal@dimedove.com Security Inquiries: security@dimedove.com
Policy Updates and Changes
This Security Policy may be updated periodically to reflect changes in our security practices, technology infrastructure, or regulatory requirements. Material changes will be communicated to customers through appropriate channels, and the updated policy will be published on our website with a revised effective date. For questions about this Security Policy or our security practices, please contact our security team at security@dimedove.com.Dimedove is committed to maintaining the highest standards of security and privacy protection for our customers’ data and AI agent interactions. This Security Policy reflects our ongoing commitment to transparency and continuous improvement in our security practices.