security & privacy at doozy

We may access your account data only in the following circumstances:

• Customer support: When you have filed a support request and the issue requires inspection of your account to diagnose or resolve
• Incident response: When investigating a reported bug, security incident, or system error that affects your account
• Legal obligations: When required to do so by applicable law, regulation, or valid legal process
• Product improvement:We may use anonymized data derived from your account activity to improve Doozy's models and product experience. You can disable this in your Settings (see section below for more information). Note: we are not currently training on anyone's data, and are not sure if we ever will.

Every instance of internal access to user account data through our admin dashboard is logged. These logs are retained and are reviewable by Doozy leadership. No employee can access user data without that access being recorded.

Doozy gives you direct control over how your data is used. In your Settings, you will find a Security Mode toggle. When this is turned on:

• Your data will not be used for any product improvement purposes
• No Doozy employee can access your account data for any reason unless you explicitly grant permission for that specific access

This setting is off by default and must be manually enabled. We encourage users who handle sensitive information to turn it on. When Security Mode is off, access for the purposes listed above (support, incident response, legal obligations, and product improvement) remains possible, but is always logged and audited.

Please note: we don't currently have the ability to disable the collection of aggregate data, such as number of meetings, to-dos, etc.

You have the right to:

• Access a copy of the data we hold about you
• Correct inaccurate personal information
• Delete your account and associated data at any time
• Export your data in a portable format upon request
• Opt out of your data being used for model improvement

We retain your data for as long as your account is active. Upon account deletion, we will remove your personal data from our systems within 30 days, except where we are required to retain it for legal or compliance purposes.

Doozy connects to third-party services (such as Gmail, Google Calendar, Slack, and others) on your behalf to perform tasks for you. We use Composio to manage all OAuth authentication and credential handling for these integrations — similar to how Plaid works for connecting bank accounts.

This means Doozy never directly stores your OAuth tokens or credentials. Composio acts as the secure intermediary that handles the full authentication flow, token refresh, and revocation lifecycle.

At any time, you can connect or disconnect any third-party account from within Doozy's settings. Disconnecting an account immediately revokes Doozy's ability to act on that account. You can also manage or revoke connections directly through the third-party service itself.

Composio is a trusted infrastructure provider purpose-built for secure AI agent authentication. Their security posture includes:

• SOC 2 Type 2 and ISO 27001 certified — independently audited security controls
• Encryption at rest and in transit for all credentials, tokens, and configuration data
• Zero data retention architecture — data processed through Composio is not persisted beyond what is necessary for the operation
• Role-based access control (RBAC) with least-privilege access for all internal personnel
• Quarterly penetration testing and complete audit trails
• Multi-factor authentication required for all privileged accounts

Composio's trust and compliance documentation is available at trust.composio.dev. You can review their full security posture, certifications, and subprocessor list directly there.

When an AI agent can take actions in the world — sending emails, creating calendar events, updating files — the stakes are fundamentally different from an AI that only reads and responds. A single unintended write operation can have real consequences: a sent email can't be unsent, a deleted file may be gone permanently.

Most AI products today do not have meaningful guardrails on this. Doozy does.

Doozy runs every potential agent action through a fast, lightweight classification layer before it is executed. This classifier evaluates whether an action is a read operation (viewing, retrieving, summarizing data) or a write operation (sending, creating, modifying, or deleting data).

• Read operations proceed automatically, as they carry no risk of unintended consequences
• Write operations trigger a permission check

If a write operation is flagged and you have not already granted permission for that specific action, the action is denied and you are notified. You will be shown what the agent was attempting to do and asked to approve or reject it before anything is executed.

Doozy offers two modes for agentic actions:

• Permission Mode (default):All write operations require your explicit approval before execution. You'll see a clear prompt describing the intended action before it happens.
• Auto-Approve Mode:For power users who want Doozy to operate more autonomously, you can disable per-action permission checks in your settings. In this mode, the agent will execute write operations without pausing for approval. We recommend this only for low-stakes workflows where you have high confidence in the agent's behavior.

You can switch between these modes at any time from your Settings screen.

We want to be honest: this system is not a 100% foolproof guarantee. The classifier operates probabilistically and may occasionally misclassify an action. We continuously improve its accuracy, but edge cases exist. What we can say with confidence is that Doozy's agentic permission layer is more robust than the current standard in the industry — most AI agents have no write/read classification or per-action approval system in place at all.

Our goal is that Doozy should never do something consequential in your accounts that surprises you.

• Encryption at rest: All user data is encrypted at rest using AES-256 via our cloud infrastructure provider
• Encryption in transit:All data transmitted between your device and Doozy's servers is encrypted using TLS 1.2 or higher
• Cloud infrastructure: Doozy is hosted on Google Cloud Platform (GCP) within a Virtual Private Cloud (VPC), with network-level isolation and firewall rules in place
• Daily backups: User data is backed up daily with point-in-time recovery available

• Role-based access control (RBAC): Internal access to production systems is restricted by role. Employees only have access to the systems and data required for their function
• Least privilege: No employee has standing access to raw user data. Elevated access requires a documented reason and is time-limited
• Multi-factor authentication (MFA): Required for all internal accounts with access to production systems
• Access reviews: We conduct periodic reviews of which employees have access to what systems, and revoke access that is no longer needed

• Vulnerability disclosure: We maintain a responsible disclosure policy. If you believe you have found a security vulnerability in Doozy, please contact us at security@dcouple.ai
• Dependency management: We monitor our third-party dependencies for known vulnerabilities and apply patches on a regular basis
• Secure development practices: Code changes go through peer review before deployments