Dume

Why You Can Trust Dume.ai: Security, Privacy, and Transparency at Our Core

Team Dume.ai

Team Dume.ai

May 25, 20255 min read

Why You Can Trust Dume.ai

At Dume.ai, trust isn't just a feature—it's the foundation of our platform. Whether you’re connecting your email, calendar, Jira, or Notion, we treat your data with the highest standards of security and privacy. This post outlines our end-to-end approach to protecting your data—from authentication to encryption to infrastructure.

Authentication & Authorization

We use NextAuth.js, a modern and secure library trusted by thousands of apps worldwide.

  • Supports Google OAuth and email/password login
  • Email verification is mandatory for users
  • Protected routes enforced with middleware guards
  • Secure, session-based authorization for API and UI access
  • Unique, encrypted session IDs for all users

Password Security

We follow best-in-class practices to protect user credentials:

  • Passwords are hashed using bcrypt
  • Never stored or transmitted in plain text
  • Secure comparison methods prevent timing attacks
  • OAuth-based users are assigned secure, randomly generated passwords

AES-256 Encrypted Data at Rest

Your application data is protected at rest using AES-256 encryption—the same encryption standard used by governments and banks.

  • All user-linked app data (emails, calendar events, Notion tasks, etc.) is encrypted before being stored in the database
  • Data is only decrypted at runtime, in memory, during the AI’s response generation
  • No human at Dume.ai can view this data
  • Only you and the AI assistant can access decrypted content

🔐 Our encryption keys are managed securely through environment-based secrets.

No AI Training on User Data

We respect your privacy to the core:

  • Your data is never used to train AI models
  • Our AI subprocessors operate under enterprise-grade agreements
  • No user data leaves the secure boundary of our inference infrastructure
  • AI accesses data only temporarily at runtime, and only to serve your query

Session Management

  • All sessions are securely created and tracked via encrypted cookies or JWTs
  • Expired sessions are automatically invalidated and cleaned up
  • Session-based access control ensures actions are tied to valid users
  • Session hijacking and replay attacks are mitigated through strict token policies

API and Route Security

Our APIs are designed to protect against misuse and unauthorized access:

  • All routes are protected using authentication middleware
  • Rate limiting is enforced to prevent abuse
  • All inputs are validated and sanitized
  • Internal errors are handled gracefully without leaking sensitive information

Secure Database Architecture

Data handling follows a strict least-privilege model:

  • Queries are parameterized to avoid SQL injection
  • Sanitization applied on both input and output layers
  • Secure DB connection handling and scoped access controls
  • Sensitive fields (OAuth tokens, user data) are encrypted at the database level

OAuth Token Protection

Our OAuth integration is hardened using multiple layers of defense:

  • OAuth tokens are encrypted before storage
  • Token scopes are limited to minimum required permissions
  • Token refreshing is handled securely without leaking sensitive information

User Data Privacy

We believe in data minimization and user-first privacy:

  • We collect only the data required to provide core features
  • Access to user data is strictly scoped by tenant and user ID
  • No third-party tracking scripts or behavioral profiling is used

Security Best Practices

Every part of our application follows security best practices:

  • All secrets and tokens are managed via environment variables
  • Production/staging/dev environments are isolated
  • Debugging is disabled in production
  • HTTP headers like Content-Security-Policy and Strict-Transport-Security are enforced

Usage Controls and Transparency

We believe in transparency and user control:

  • Authentication flows are predictable and user-guided
  • Usage quotas are in place to prevent abuse
  • User activity is tracked for auditing purposes
  • Secure password reset mechanisms with email verification are implemented

Infrastructure-Level Security

Our deployment and CI/CD systems are hardened for production use:

  • Docker containers are configured with least-privilege roles
  • Deployment environments enforce RBAC and firewall rules
  • Continuous integration pipelines include automated security checks

Compliance and Data Governance

Dume.ai is designed to be compliant with modern data protection standards, including:

  • GDPR-ready architecture: consent, right to deletion, and data minimization built-in
  • Security headers enforced across all frontend and backend responses
  • Data lifecycle is transparent and user-controlled

Summary: Security You Can Trust

Dume.ai is not just a productivity platform—it’s your AI-powered assistant built with zero-trust architecture, AES-256 data encryption, and a strong commitment to never use your data for AI model training.

  • Your data is encrypted with AES-256 at rest
  • Decryption occurs only at runtime, and only for your AI assistant
  • We do not use your data to train models
  • Our infrastructure is zero-trust and enterprise-ready

We earn your trust not just by saying the right things—but by building the right things.

Ready to experience AI automation with peace of mind?

SecurityPrivacyAIProductivityTech
Agent CTA Background

Transform Your Workflow Today

Try for FreeNo credit card required. Cancel anytime.