Dwell.
Log InGet Started
Security & Trust

Built with security first

Dwell is designed to protect the organizations, contacts, and data you entrust to us. This page details the controls we have in place and our path toward formal SOC 2 compliance.

Framework

SOC 2 Trust Service Criteria

SOC 2 defines five categories of security controls. Here is how Dwell addresses each.

CC

Security

Common Criteria

The foundational SOC 2 category. Systems are protected against unauthorized access, both physical and logical.

  • Role-based access control (RBAC) with least-privilege enforcement
  • Multi-factor authentication support via NextAuth
  • Session management with expiring tokens
  • All data in transit encrypted via TLS 1.2+
  • All data at rest encrypted (AES-256) on Neon PostgreSQL
A

Availability

Uptime & Reliability

The system is available for operation and use as committed or agreed upon.

  • Deployed on Render with automatic restarts and health checks
  • Database hosted on Neon with built-in replication and failover
  • Stateless Next.js API routes — horizontally scalable
  • Background job queue for resilient message delivery
  • Incident alerting via platform monitoring dashboards
PI

Processing Integrity

Accurate & Complete

System processing is complete, valid, accurate, timely, and authorized.

  • Input validation on all API endpoints (Zod / runtime checks)
  • Idempotent message-sending with deduplication guards
  • Audit trail: activity-logger records all state-changing events
  • Transactional database writes prevent partial updates
  • Error handling with structured logging for every API route
C

Confidentiality

Data Protection

Information designated as confidential is protected as agreed or required.

  • Workspace isolation — all queries scoped by workspaceId
  • OAuth tokens (Google, Meta, MailChimp, PCO) encrypted at rest
  • Twilio credentials stored encrypted, never logged
  • No cross-tenant data leakage enforced at the ORM layer (Prisma)
  • Admin endpoints gated behind OWNER role + superAdmin flag
P

Privacy

Personal Data

Personal information is collected, used, retained, and disclosed in conformity with commitments.

  • Minimal data collection — only what is needed for platform function
  • Right to erasure: contacts and workspace data can be permanently deleted
  • CSV export available for data portability
  • Planning Center sync respects source-of-truth ownership
  • Privacy Policy published and linked from all user-facing surfaces

In Practice

Security Controls in Detail

Specific technical and operational measures deployed across every layer of the platform.

Authentication & Sessions

  • NextAuth.js with secure, httpOnly, SameSite cookies
  • Password hashing via bcrypt (cost factor 12)
  • Session tokens rotate on re-login
  • Invite-only workspace onboarding — no open registration

Authorization & Access Control

  • Six-tier RBAC: Owner → Admin → Manager → Contributor → Viewer → Guest
  • Permission matrix enforced server-side on every API route
  • Super-admin flag for platform-level operations, separate from workspace roles
  • Contacts/messages scoped to assigned user or workspace (configurable)

Data Storage & Encryption

  • PostgreSQL on Neon with TLS-enforced connections
  • AES-256 encryption for all OAuth tokens and messaging credentials
  • Soft-deletes on contacts (deletedAt) to support audit requirements
  • Database access whitelisted to Render IP ranges only

Network & Infrastructure

  • All traffic over HTTPS with HSTS headers
  • CORS policies restricted to known origins
  • Environment secrets stored in Render secret groups, never in source
  • Separate staging (render-deploy) and production (main) environments
  • ISO 27001 Alignment: our ISMS is built on ISO 27001 core principles — rigorous access controls, continuous threat monitoring, and vendor risk management to protect global networks

Audit Logging

  • Activity logger records every create/update/delete action with actor, timestamp, and workspace
  • Message delivery status tracked per recipient
  • Integration sync events logged with result counts and error details
  • Role changes and invitation activity recorded

Messaging & Communication Security

  • Messaging guardrails prevent communication outside designated hours
  • Opt-out management with STOP keyword handling (Twilio)
  • Rate limiting on message-sending paths to prevent abuse
  • Campaign sends require OWNER or ADMIN confirmation

Third-Party Integrations

  • OAuth 2.0 for Google Ads, Meta Ads, Planning Center, Mailchimp
  • Minimum-scope OAuth permissions requested
  • Tokens refreshed server-side — never exposed to browser
  • Integration revocation clears all stored tokens immediately

Incident Response

  • Render health-check auto-restart on service failure
  • Database connection errors surfaced in structured API responses
  • Security contact: security@dwellinsights.com
  • Responsible disclosure welcomed — see contact below

Roadmap

Compliance Progress

We track our progress toward formal SOC 2 certification transparently.

TLS everywhere + HSTSDone
RBAC with permission matrixDone
Encrypted credential storage (AES-256)Done
Audit activity loggingDone
Workspace data isolationDone
Soft-delete + data portability (CSV export)Done
Formal SOC 2 Type I readiness assessment
Penetration testing by third-party auditor
Vendor risk management documentation
Business continuity & disaster recovery plan
SOC 2 Type II audit engagement
ISO 27001 Certification
GDPR Data Processing Agreements (DPAs) for enterprise

Other Applicable Standards

GDPR

Dwell supports GDPR obligations through minimal data collection, contact data export, right-to-erasure workflows, and clear privacy notices. Enterprise customers may request Data Processing Agreements (DPAs).

CCPA

California residents can exercise rights to know, delete, and opt-out via the data deletion request process. We do not sell personal data to third parties.

TCPA (SMS Compliance)

All outbound SMS is delivered via Twilio with opt-out (STOP) handling. Messaging guardrails enforce quiet hours. Platform operators are responsible for maintaining consent records for their contacts.

CAN-SPAM (Email)

Bulk email campaigns are subject to CAN-SPAM requirements. Dwell provides unsubscribe management and recommends all operators include accurate sender identification.

COPPA (Children's Online Privacy Protection Act)

Dwell is designed for users aged 13 and older. For organizations and ministries utilizing Dwell for youth communication, the Workspace Admin assumes full responsibility for obtaining verifiable parental consent prior to importing, messaging, or routing data for minors.

HIPAA & Protected Health Information (PHI)

Out of Scope

While Dwell facilitates deep community connection, standard SMS is not a secure channel for transmitting medical data. Dwell operates outside of HIPAA scope, and our Acceptable Use Policy strictly prohibits Workspace Admins from utilizing the platform to solicit, transmit, or store Protected Health Information.

Security questions or concerns?

We welcome responsible disclosure. If you discover a vulnerability or have a security question, please reach out directly.

security@dwellinsights.com

Last reviewed: March 2026