Standalone preview · compliance-en
Compliance

How we secure the infrastructure.

DoReply runs on standards that enterprise customers can take seriously. No vague marketing claims, just concrete measures, hosting inside the EU, and an Audit Trail that shows who changed what, when.

Last updated: May 2026  ·  Applies to: doreply.com and all DoReply platforms

Our principles

Security is a continuous process, not a checkbox. Three principles are baked into the architecture:

Your data stays yours
We do not train AI models on customer content. We do not sell data. All information remains within your isolated environment.
No made-up answers
Guided Search uses pre-defined flows. End users only see answers your editorial team has approved. No hallucinations, no surprises.
Audit-ready from day one
Every change to content, every login, every role change is logged. For up to twelve months, depending on your subscription.

Compliance frameworks

We follow the rules that matter for customers in the Netherlands and the wider EU. No claims we cannot back up.

GDPR

Fully compliant. Data processing agreements with all customers, data inside the EU, right to access and erasure.

Active

EU Data Residency

All customer data is stored in AWS Frankfurt. No transfers to the United States or other third countries.

Active

EU AI Act

Our AI features fall under limited risk. Transparency about AI use, no profiling of end users.

Conformant

NIS2 (where applicable)

For customers in essential sectors we support the incident reporting and logging that NIS2 requires.

Supported

Concrete security features

These are the measures built into the product itself, available to you as a customer.

Encryption

TLS 1.3 for all connections. AES-256 for data at rest. No plain-text passwords, anywhere.

Access control

Roles and permissions at individual level. MFA required for administrators. SSO via SAML or OAuth for Enterprise customers.

Audit Trail

Every change recorded: who, what, when, from which IP. Retention depends on subscription, up to twelve months.

Data isolation

Each customer gets an isolated environment. No shared databases, no cross-tenant access between customers.

Monitoring

24/7 system monitoring, automated alerts on anomalous behaviour, and periodic security reviews.

Backup & recovery

Daily encrypted backups, point-in-time recovery available, RPO of 24 hours and RTO of 4 hours.

Hosting and infrastructure

DoReply runs entirely on AWS Frankfurt (region eu-central-1). All data stays inside the EU and falls under European law.

  • Location: AWS Frankfurt, Germany
  • Subprocessors: only parties with EU presence and GDPR compliance
  • No US transfers: we do not use services that necessarily move data to the United States
  • Private cloud deployment: for Enterprise customers with specific requirements we offer an isolated, dedicated environment within AWS, with its own VPC and separate resources

How we handle incidents

When something happens, we follow a fixed procedure:

  • Detection within one hour via automated monitoring or customer report
  • Triage and containment within four hours of detection
  • Customer notification within 72 hours for data breaches involving personal data, per GDPR
  • Post-mortem report within ten working days, shared with affected customers

For security reports or suspected vulnerabilities: security@doreply.com. We respond within 24 hours.

Common questions from buyers

Do you have a SOC 2 report?

Not at this time. We focus on GDPR compliance and EU frameworks that are more relevant to our European customers. For specific audit requirements we can deliver tailored documentation.

Can we run a Vendor Security Assessment?

Yes. We support DDQs, security questionnaires and architecture reviews. Schedule a conversation for the details and we will connect you to our technical lead.

What happens to our data when we leave?

On request we deliver a full export of your content within fifteen working days. After that all data is irreversibly deleted within thirty days, including backups within the regular backup schedule.

How do I know if there has been a breach?

Beyond our own monitoring, Enterprise customers have access to a detailed Audit Trail where they can detect unusual patterns themselves. For detected incidents we provide direct notification per the Incident Response procedure.

Will you work with our CISO or DPO?

Gladly. For security and privacy questions we connect our technical lead and privacy contact directly. No account managers as middlemen.

Specific security question?

Email security@doreply.com for security reports, or schedule a conversation via the contact page for a Vendor Assessment.

More on privacy?

The Privacy page describes exactly what we collect, how long we keep it, and what rights you and your end users have.

See Privacy Policy
Privacy Compliance Contact
© 2026 DoReply B.V. · Standalone preview, niet de productie-build