Compliance: SOC2, HIPAA, ISO 27001 and GDPR at Dailybot
This page summarizes Dailybot’s compliance posture. It is informational – the binding documents are the Privacy Policy, the DPA (Data Processing Agreement), and any executed MSA / Order Form between your organization and Dailybot.
If you need formal evidence (SOC2 report, security questionnaire, signed DPA, sub-processor list), contact support or sales with your org name and the framework in scope.
Quick reference
| Framework | Status | What you can request |
|---|---|---|
| GDPR | Compliant (data controller / processor model). | Signed DPA, SCC where applicable, data subject rights workflow. See GDPR. |
| CCPA | Compliant (do-not-sell signals respected; no sale of personal data). | DSAR workflow, contact details. |
| SOC 2 Type II | Available on the enterprise plan. | Latest report under NDA (request via support/sales). |
| HIPAA | Not a default offering. We do not store PHI by design. Enterprise customers needing HIPAA should contact sales before entering PHI. | BAA on case-by-case basis. |
| ISO 27001 | Roadmap (status varies; ask support for current quarter). | Statement of Applicability when available. |
If you see “We are SOC2 / HIPAA / ISO” from third-party sources, always re-confirm with Dailybot directly: certifications and reports refresh on a cadence and a stale claim is worse than no claim.
How Dailybot supports your audit
| Audit need | Where it lives in Dailybot |
|---|---|
| Access control | Inherited SSO (chat platform) by default. Native SAML/SCIM on enterprise – see SSO/SAML/SCIM. |
| User lifecycle | Removing a user in Slack/Teams/Google Chat removes their Dailybot access. Or use Manage Members directly. |
| Data residency | Dailybot operates from cloud regions described in the DPA. Specific region pinning is enterprise-only. |
| Data retention | Configurable per plan – see Data retention. |
| Right to deletion | DSAR workflow – see Data deletion and GDPR. |
| Audit log of admin actions | Enterprise plan. |
| Encryption in transit / at rest | TLS in transit, encryption at rest. Sub-processor and KMS details in the DPA. |
| Sub-processors | List available on request and in the DPA addendum. |
Common security questionnaire answers
For Whistic / OneTrust / SecurityScorecard / standalone vendor reviews, the most common questions and where to find the answer:
| Question | Source |
|---|---|
| Do you have a SOC2 report? | Yes (enterprise). Request via support. |
| Do you sign DPAs? | Yes. Default DPA available; custom on enterprise. |
| Do you sub-process data outside the EU? | Detailed in the DPA’s sub-processor list. SCCs in place where required. |
| Encryption at rest? | Yes. |
| Encryption in transit? | Yes (TLS 1.2+). |
| Vulnerability management? | Continuous scanning + periodic third-party pentests; report available under NDA. |
| Background checks on staff? | Yes, where local law allows. |
| Incident response SLA? | Defined in the MSA / Order Form per plan. |
If your questionnaire still has open items after these, attach it to a support ticket and our security team will respond.
Requesting documents
- Contact Dailybot support or your account manager.
- Include: your org name, billing email, the specific document (e.g., “SOC2 Type II report, latest”), and whether you can sign an NDA if required.
- Indicate any deadline (auditor cut-off date).
For routine DPA signature, the link can be sent directly. For SOC2 and similar reports, NDA is usually required first.