Duvo is an AI-native automation platform that automates complex processes across UIs and APIs. The platform is designed so that automation reduces risk: assignments operate within strict access boundaries, every action is auditable, and our use of AI vendors is governed by clear contractual and technical controls.Documentation Index
Fetch the complete documentation index at: https://docs.duvo.ai/llms.txt
Use this file to discover all available pages before exploring further.
1. Security Governance & Control Framework
Control framework
- Duvo is SOC 2 Type II certified
- Controls aligned with SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)
- Duvo maintains strict controls around data security, availability, and confidentiality
Risk & oversight
- Security and risk reviewed at executive level on a regular cadence.
- Annual formal risk assessment with documented treatment plans and remediation tracking.
Policies & compliance
- Core policies (Information Security, Access Control, Vendor Risk, Data Protection & Privacy, Incident Response, Acceptable Use) reviewed at least annually.
- All Duvo employees complete mandatory security and privacy awareness programs at onboarding and annually thereafter.
2. Infrastructure & Platform Security
Hosting & network
- Hosted on leading cloud providers with hardened configurations and network segmentation.
- Full disclosure of subprocessors available upon request.
Identity, access & MFA
- All access to production systems is authenticated, role-based, and enforced with MFA and least-privilege.
Encryption & key management
- In transit: TLS 1.2+ for all external and internal service communications.
- At rest: Industry-standard encryption (e.g., AES-256) for databases, storage, and backups.
- Keys managed via cloud-native KMS, with access controls and rotation policies.
Endpoint & device security
- Company endpoints use full-disk encryption
Monitoring, availability & incident response
- Centralized logging and monitoring of infrastructure, application health, and security-relevant events.
- Redundant, multi-AZ architecture designed to minimize downtime.
- Documented incident response plan, on-call rotation, and post-incident review process.
Vulnerability management
- Regular automated scanning of infrastructure and applications.
- Patch management and remediation timelines driven by risk severity.
3. Application, Assignment & Browser Security
Authentication, SSO & RBAC
- Unique accounts for all users
- Fine-grained RBAC across:
- Human roles (admins, managers, users).
- Assignments themselves (which systems, environments, and actions an assignment can perform).
- Assignments can only access systems that are within security scope of users using the assignments to perform processes
Tenant isolation
- Logical segregation of customers at the application and data layers.
- Cross-tenant access is technically prevented; multi-tenant components enforce tenant scoping in all queries.
Secure SDLC & environments
- All production changes are peer-reviewed and tracked in version control.
- Automated and manual testing (including regression and security checks) before deployment.
- Strict separation of dev / staging / production; production data is not used in lower environments.
Automation & Duvo “Enterprise Browser”
- UI automation runs in ephemeral remote browser sandboxes, not on end-user devices.
- Browsing sessions are isolated per task, local storage is not shared between customers.
- Logins for target systems (e.g., internal portals) are stored in hardened secret stores and scoped to specific assignments/workflows.
Human-in-the-loop & approvals
- Assignments can be configured to request explicit human approval for high-risk actions (e.g., changes in internal systems, sending external emails).
- All approvals, rejections, and resulting actions are fully logged.
Auditability
- Comprehensive audit trails for assignment jobs, configuration changes, access changes, and approvals.
4. Data Protection & Privacy
Data classification & lifecycle
- Retention and deletion policies for logs, configuration, and content aligned with contractual and regulatory obligations.
Access to customer data
- Role-based, need-to-know access to production data; approvals and access are time-bound wherever possible.
- All privileged access is logged and regularly reviewed (at least quarterly access reviews).
Privacy & regulatory alignment
- Program aligned with GDPR principles, support for data subject rights (access, deletion, rectification) through defined processes.
- Public Privacy Policy, DPAs, and list of sub-processors available on request.
Deletion & anonymization
- Capabilities to delete or render data unusable on request, including end-user content and workspace data, subject to legal and backup constraints.
5. Use of AI / LLM Providers (Anthropic ZDR & Others)
Anthropic as primary AI provider
- Duvo integrates Anthropic’s Claude models as a core reasoning engine under enterprise commercial terms.
Zero Data Retention (ZDR)
- All Anthropic API calls from Duvo are made in Zero Data Retention mode:
- Prompts and outputs are not used for model training,
- Not retained beyond transient processing by Anthropic.
- Duvo does not use Anthropic’s consumer interfaces (e.g., free/pro web UI) for customer workloads.
Data minimization & protection with LLMs
- Only the minimal context required to perform a task is sent to the model.
Other model providers / BYO endpoints
- Support for other enterprise LLM APIs and customer-hosted model endpoints.
- You can constrain the platform to specific providers, regions, or endpoints that satisfy your data residency and compliance requirements.
Vendor risk management
- Critical sub-processors (LLM providers, cloud, browser sandboxing, observability) undergo security and privacy review.
- DPAs and data-handling terms are in place, with clear limits on data use and confidentiality obligations.