Security and data protection

1. 1. Encryption in transit and at rest

   Your data always travels over channels encrypted with TLS 1.3 — from your browser or mobile app to our servers. The certificate authority is rotated regularly and we block older TLS versions that are no longer considered secure.

   Your data is stored encrypted at rest with AES-256. Backups use the same robustness and are kept for thirty days with point-in-time restore for the last seven. Encryption keys live in a dedicated key-management service, separated from storage.

2. 2. Access controls

   Access to production infrastructure is restricted to a small number of people on the team, authenticated with mandatory two-factor and recorded in an audited log. Internal passwords are rotated, SSH keys are protected with passphrases, and access is revoked within twenty-four hours when someone leaves the team.

   On your side, you can enable two-factor on your dakimmo account using a TOTP app (Authy, Google Authenticator, 1Password). On Agency and Custom plans, administrators can manage permissions per agent — what each one can view, edit, and export.

3. 3. Hosting and data residency

   Your data is hosted on infrastructure operated by tier-1 cloud providers, with replication across availability zones to tolerate the loss of a single data center without data loss. The exact region is documented in the data-processing agreement we sign when you onboard onto Agency or Custom.

   For customers with specific residency requirements (public sector, regulated markets), we can discuss dedicated hosting in a specific region on the Custom plan. Ask during the scoping call.

4. 4. Backups and continuity

   We run encrypted daily backups with automatic integrity verification. Once a quarter we run a real restore drill to confirm the procedure works — we do not trust backups that have never been restored.

   If a major incident affects the service, we notify you by email as soon as we confirm it and publish updates on a public status page. Our recovery objective is to restore the service in under four hours for major incidents and under thirty minutes for minor ones.

5. 5. Incident notification and disclosure

   If we detect a security incident affecting your personal data, we notify you by email within seventy-two hours with the information we have at that moment — what happened, which data is affected, what we have done, and what we recommend you do on your side. We keep an internal log of every incident to honor our obligations to data protection authorities when applicable.

   If you find a security flaw in dakimmo, write to security@dakimmo.com. We take responsible disclosure seriously: confirmation of receipt within twenty-four hours, investigation within a week, and a status update through to the fix.

6. 6. Sub-processors and vendor management

   When a third-party vendor processes data on our behalf (cloud hosting, transactional email, payment processor, e-signature), we sign a data-processing agreement that records their security, confidentiality, and incident-notification obligations.

   The current sub-processor list and the associated contractual documentation are available on request. Write to contact@dakimmo.com.

7. 7. Your data stays yours

   You can export all your data as CSV from your account at any time, without asking permission and at no extra cost. The export covers contacts, pipeline, documents, messages, and associated metadata.

   If you cancel, we keep the data for thirty days in case you come back or need an additional export. After thirty days the data is irreversibly deleted from active systems. Encrypted backups roll out of the standard thirty-day retention cycle, so within sixty days of cancellation no trace of your data remains.

A security question or a vulnerability to report? Write to security@dakimmo.com — a human reads it.