Security & compliance
Built for the teams that have to say yes.
Dooap Studio is a managed multi-tenant SaaS. Independently audited controls, data and AI models in the region you choose, SSO, least-privilege tools, and a complete change history, so IT and compliance can sign off and stay signed off.
- SOC 2 Type II
- GDPR
- EU & US regions
- Microsoft Entra ID SSO
Hosting & data residency
Your data — and the models that touch it — stay in your region.
Multi-tenant SaaS, EU & US regions
Dooap Studio runs as a managed multi-tenant service in EU and US regions. Pick the region your data must live in; your tenant is isolated within it.
AI models in your region too
When Dooap Studio reasons with an LLM or specialist model, the inference call stays inside your chosen region. AI does not cross the boundary your data has to honor.
Your data does not train models
Your invoices, prompts, executions, and metadata are not used to train the LLMs Dooap Studio routes to. Your data is yours; it serves your runs and your audit.
Identity & access
The identity stack you already use.
Microsoft Entra ID (SSO)
Sign in with your existing Microsoft Entra ID tenant. No separate user store, no parallel passwords. Your group policies, conditional access and MFA apply; Dooap Studio inherits them.
Per-App authorization & secret vault
Tenant admins authorize each App explicitly; credentials live in a secret vault, never inline in an Action. Tools an agent can call are scoped to exactly what admins approved.
Three roles, least privilege
Read-Only reviewers see everything and change nothing. Users build and operate Actions. Admins alone govern users, Apps, models, and the audit log.
| Capability | Read-Only | User | Admin |
|---|---|---|---|
| View Actions, steps, and run history | ✓ | ✓ | ✓ |
| Create, edit, and delete Actions | — | ✓ | ✓ |
| Publish, enable, and run Actions | — | ✓ | ✓ |
| Manage users and roles | — | — | ✓ |
| Manage Apps, models, and settings | — | — | ✓ |
| View and export the audit log | — | — | ✓ |
Audit log
Append-only · tamper-evident
- 09:41anna.kAction “Invoice intake” publishedv14
- 09:32anna.kAgent Role “Vendor screening” updatedv3
- 08:57adminApp “ERP” credentials configuredvalues never logged
- 08:12tomi.lSkill “Coding rules” createdv1
- MonadminAudit log exportedCSV
Every change to Actions, Agent Roles, Tools, Apps, Skills, Variables and Secrets. Admin-only access, exportable for retention.
Compliance & audit
Independently audited. Provably accountable.
SOC 2 Type II
Independently audited controls covering security, availability, processing integrity, confidentiality and privacy, verified operating over time rather than just on paper. Report available under NDA.
GDPR
Standard data-handling, processor obligations, sub-processor transparency, and data-subject rights. DPA available; EU hosting included.
Audit log, end to end
Every change to an Action, Agent Role, Tool, Input, or prompt lands in the platform-wide audit log. Admin tools export the full log for downstream retention or compliance review.
Provenance for every run
Per-execution: the resolved prompt, inputs, every tool call with its parameters and result, confidence, token usage, full provenance through chained Actions, stored and searchable.
Runtime guardrails
Three guardrails on every run: vaulted secrets, sandboxed code, dry-run before commit.
Secret vault
Credentials for every App live in the secret vault, never inline in step configuration. Rotated centrally; access governed per App.
erp_api_key = •••••••••••• stored: vault · never in prompts rotation: one place, all Actions
Sandboxed code
Custom Code steps run in a sandbox with strict resource and throttling limits. No filesystem escape, no surprise side-effects.
cpu: capped · memory: limited filesystem: none network: assigned tools only
Dry-run on live data
Execute draft Actions against real data with write tools stubbed out. See what would have happened before it does.
POST /invoices → stubbed ✓ mode: dry-run · draft v14 committed: nothing
Need to brief your security team?
We’ll walk through the controls, audit posture, and data flows that matter to your IT and compliance reviewers.