v1 — Working draft. DYOE Way is a small services business, not an enterprise with SOC 2 certification. This document honestly describes our current practices. We will update it as our security posture evolves.
1. Infrastructure
| System | Provider | Security |
|---|---|---|
| Website hosting | Cloudflare Workers | Cloudflare's global network, auto-HTTPS, DDoS protection |
| Database (SplitLedger) | Supabase | PostgreSQL with row-level security, encrypted at rest |
| AI processing | Anthropic (Claude API) | SOC 2 Type II, data not used for model training via API |
| Research engine | DeerFlow (self-hosted) | Runs on controlled DigitalOcean infrastructure; not a SaaS |
| CRM | Airtable | SOC 2 Type II, encrypted at rest and in transit |
| Payment processing | Stripe | PCI DSS Level 1; we never see or store card numbers |
| Google Workspace | TLS in transit, encrypted at rest | |
| Form submissions | Formspree | TLS in transit, submissions forwarded to email |
2. Data in Transit
All data in transit uses TLS encryption. This includes: website traffic (HTTPS via Cloudflare), API calls to Anthropic, database connections to Supabase, email via Google Workspace, and form submissions via Formspree.
3. Data at Rest
Client data stored in Airtable and Supabase is encrypted at rest by the respective providers. Service materials (client lists, DM exports) stored on DYOE Way infrastructure are kept on encrypted-at-rest DigitalOcean volumes.
4. Access Control
DYOE Way is a sole proprietorship. One person (the founder) has access to all client data and all systems. There are no shared credentials, no team accounts, and no third-party contractors with access. This simplifies the access control surface significantly — the attack surface is one person, not a team.
5. AI Data Handling
- Claude API — Data sent to the Claude API for processing is governed by Anthropic's API data usage policy. As of this writing, Anthropic does not use API data to train models. Data is processed in transit and not persistently stored by Anthropic beyond their standard API logging period.
- DeerFlow — Self-hosted. Client data processed by DeerFlow never leaves our controlled infrastructure. No third-party research SaaS is involved.
- Mem0 — Cross-session memory for the DYOE Agent Stack. Stores conversation context and client notes. Hosted via Mem0's API; data is keyed per-user and not shared across accounts.
6. Data Retention
- Service materials (client lists, DM exports, booking data): Deleted 30 days after engagement completion
- Deliverables (reports, campaigns): Retained 12 months, then deleted
- Contact information: Retained for duration of engagement + 12 months
- Payment records: Retained by Stripe per their policy
You can request early deletion at any time by emailing info@dyoeway.org.
7. Incident Response
In the event of a data breach or security incident:
- We will notify affected clients within 72 hours of discovery
- We will describe what data was affected and what steps we're taking
- We will cooperate with any investigation and remediation
8. What We Don't Have (Yet)
In the interest of honesty:
- We do not have SOC 2, ISO 27001, or HIPAA certification
- We do not have a formal penetration testing program
- We do not have cyber insurance (planned for Q3 2026)
If your engagement requires any of these, we'll tell you upfront so you can make an informed decision.
9. Contact
Security questions or to report a vulnerability: info@dyoeway.org