This page explains, in plain English, how DOVA handles your manufacturing data — how it is encrypted, who can see it, where it is stored, how people log in, and what compliance work is in progress. We update this page as things change. Last updated: May 2, 2026.
All traffic between your browser and DOVA is encrypted using HTTPS (TLS 1.2 or higher). Your data is never transmitted in plain text.
Data at rest is encrypted using industry-standard AES-256 encryption, managed by our database provider (Supabase) and hosting provider (Vercel / AWS).
Database backups are taken automatically and retained for disaster recovery.
DOVA uses role-based access control. Every user has one of five roles, and the system only shows them the data their role allows:
• Global Admin — DOVA platform staff only.
• Company Admin — full access across your company.
• Location Manager — access scoped to their location.
• Operator — access scoped to their department.
• Viewer — read-only access.
Access rules are enforced on every database query, not just in the user interface. A user cannot see or change data outside their scope even by crafting direct requests.
Application hosting: Vercel (US regions, backed by AWS).
Database: Supabase (managed PostgreSQL, US regions, backed by AWS).
We do not store customer data on personal devices, laptops, or employee workstations.
Today: email + password login with secure password hashing handled by Supabase Auth.
On the roadmap: Azure Active Directory Single Sign-On (SSO) via SAML for enterprise customers who require centralized identity management. Target: Q3 2026.
Session cookies are HTTP-only and flagged secure. Sessions expire automatically after a period of inactivity.
DOVA is pre-launch and not yet SOC 2 certified. We are transparent about this — no fake badges.
SOC 2 Type I preparation: target start Q3 2026.
SOC 2 Type II observation window: target Q1–Q3 2027.
Data Processing Agreement (DPA): available below and on request.
Privacy practices are described in our Privacy Policy (link below).
We use a small number of trusted service providers to run DOVA. Each one is selected for its own security posture:
• Supabase — managed database and authentication.
• Vercel — application hosting and deployment.
• Stripe — payment processing (PCI-DSS compliant).
• Resend — transactional email delivery.
• Microsoft Azure — Active Directory / SSO (for customers who enable it).
A full subprocessor list with regions and purpose is available on request.
These are the legal and security documents enterprise buyers and procurement teams typically ask for. They are public — no NDA needed.
If you have a security question, a compliance request, or need our DPA or subprocessor list, contact us directly. We respond within two business days.
security@dovamfg.com