Trust

What DAC reads, what DAC
doesn't, and how DAC
handles your data.

Last updated: May 2026

◆ What DAC reads

Public surfaces

Your product's marketing site, changelog, public docs, public GitHub repos.

No login required. No special access.

Connected stack (OAuth, opt-in, revocable)

GitHub, Linear, Slack, Figma, Notion, PostHog, Sentry, GitBook, Mintlify.

54+ adapters total. Each connected adapter is granted scoped read access. See /coverage for the full list.

What DAC reads inside your connected stack

→Issue titles, PR descriptions, commit messages, channel names, doc titles.

→Aggregated metadata: cycle health, doc freshness, PR throughput, error rates.

→Metadata stays inside the diagnostic. It is never sent to external services beyond the LLM provider that DAC's scorer runs on.

◆ What DAC does not read

✕Customer PII inside your product (we don't see your customer database)

✕Source code beyond what's necessary for cycle-level signal (we read commit messages and PR diffs at line-summary level, not function-by-function)

✕Email content (DAC doesn't connect to email systems)

✕Calendar contents (DAC doesn't connect to calendars)

✕Slack DMs (only public-channel and channel-name signal)

✕Anything you've revoked OAuth for (revocation is one-click in /settings)

◆ Where your data lives

Stored in Turso. Primary region: US. Encrypted at rest (AES-256) and in transit (TLS 1.3). Backed up nightly. Retained for the duration of your account plus 30 days.

Permanently deleted on request. Full deletion within 14 days of request. See /privacy for the full data handling policy.

LLM provider for scoring: Anthropic Claude. DAC sends compact metadata to the scorer. We do not send customer-identifying signals beyond your tenant ID.

◆ Certifications

SOC 2 Type II

In progress

Target: Q3 2026. Audit window opens Q3 2026. Type 1 readiness packet shippable on request under NDA.

GDPR-compliant data handling

Live

Access, correction, deletion, and portability requests honored regardless of region.

HIPAA

Not in scope

DAC does not handle PHI by design. If your team needs HIPAA, we are not the right product today.

FedRAMP / IL5

Not in scope

Not on roadmap.

◆ Enterprise security review

For procurement teams: bring your security questionnaire. We respond within 5 business days.

If you need a control that isn't listed here, email hello@dacard.ai. We will tell you whether it exists, when it ships, or that we will not build it.

Talk to us about enterprise

◆ Subprocessors

We rely on the following services to operate DAC. Each processes data on our behalf under a data processing agreement.

Subprocessor	Purpose	Data handled	Attestations
Anthropic	LLM inference for scoring and coaching	Prompts, cited URLs, conversation content	SOC 2 Type 2
Clerk	Authentication and session management	Email, name, session tokens	SOC 2 Type 2
Turso	Database hosting	Account data, scores, signals	SOC 2 in audit, ISO 27001, HIPAA, PCI DSS
Vercel	Web hosting and edge CDN	Request metadata, IP, logs	SOC 2 Type 2
Stripe	Payments and billing	Billing identifiers (no card numbers)	PCI DSS Level 1, SOC 1, SOC 2
Resend	Transactional email	Email addresses, message content	SOC 2 Type 2
PostHog	Product analytics (consent required)	Event stream, user identifiers	SOC 2 Type 2
Sentry	Error tracking (consent required)	Stack traces, browser context	SOC 2 Type 2

Attestations are self-reported by each vendor and current as of the last updated date above.

Security issues: hello@dacard.ai with “Security:” as the subject prefix.

Privacy requests: privacy@dacard.ai

Dacard, Inc., Vancouver, BC, Canada.

What DAC reads, what DAC doesn't, and how DAC handles your data.

Public surfaces

Connected stack (OAuth, opt-in, revocable)

What DAC reads inside your connected stack

What DAC reads, what DAC
doesn't, and how DAC
handles your data.