The Architecture of Trust
Your Data-Your Infrastructure-Your Control
1
Admin-of-Record Architecture
We orchestrate; your administrator operates. DueDash never takes custody of funds, executes transactions, or acts as the legal record-keeper. We mirror status from your chosen providers, maintaining a clear separation of duties.
2
Your Memory, Your Infrastructure
Deploy DueDash within your own VPC/VNet on AWS, Azure, or GCP. Your institutional memory is your most valuable intellectual property — it stays entirely within your control, isolated from public models, with no cross-mixing of client data.
3
Zero Primary Data Custody
Signed legal documents, KYC/KYB dossiers, and cash positions remain with your administrator. DueDash coordinates information — minimising your attack surface and supporting regulatory compliance.
Security Practices
Protection at Every Layer.
DueDash works to raise the security standard in the investment industry, beginning with the protection of your data and your clients' data.
Data at rest
Documents are stored on AWS — the same enterprise infrastructure trusted by organisations such as FICO, NASA, GE, and Dow Jones — and protected with AES-256 encryption.
Data in transit
All information moving between DueDash and users is encrypted with TLS 1.2, the successor to the SSL protocol.
Login credentials
DueDash requires strong passwords, which are salted and hashed with bcrypt. No DueDash employee can reconstruct an original password.
Hosting & data residency
Region-pinning for EU/US data residency, strict tenant isolation, and support for customer-managed KMS/HSM keys.
Authentication & access
Enterprise SSO/SAML (Okta, Azure AD), granular role-based access controls, and least-privilege principles throughout.
Logging, audit & backups
Audit logging guards against unexpected database activity; every user action is logged with SIEM integration, and data is backed up on a regular schedule. Data lifecycles are aligned with GDPR and CCPA.
Independent Assurance
Assessed, Audited & Attested by Independent Third Parties.
DueDash engages multiple third-party vendors to assess, audit, and attest to its security controls. The platform is architected to be compliant with SOC 2 Type II — the standard widely recognised across accounting and financial institutions — and undergoes regular, independent penetration testing. We support client-side vendor security assessments on request.
Responsible Disclosure
Working With the Security Community.
Data security is a top priority, and skilled security researchers help identify weaknesses in any technology. If you believe you have found a vulnerability in the DueDash service, please tell us — we will work with you to resolve it promptly.
How to report
Email security@duedash.com. We will acknowledge your report within five business days and aim to resolve critical issues within five business days of disclosure
What we ask
- Give us reasonable time to resolve an issue before disclosing it publicly or to a third party.
- Make a good-faith effort to avoid privacy violations, data destruction, or service degradation.
- Interact only with accounts you own or are explicitly permitted to access.
Review and Diligence Infrastructure
- Distributed Denial of Service (DDoS)
- Spamming
- Social engineering or phishing of DueDash employees or contractors
- Any attack against DueDash’s physical property or data centres
Please do not conduct security research or search for vulnerabilities without first notifying DueDash and obtaining permission. We may revise these guidelines from time to time. Thank you for helping keep DueDash and our users safe.
A Clear Delineation of Service
DueDash is a workflow intelligence software provider. DueDash is not a broker-dealer, investment adviser, transfer agent, custodian, or placement agent, and does not provide legal, tax, or investment advice. All document execution, KYC/KYB screening, cash movement, and maintenance of statutory registers are operated by the client's appointed administrator or licensed partners. DueDash provides status coordination and an auditable record for workflow purposes only.
General questions: support@duedash.com · Security reports: security@duedash.com
