This document explains our security practices and policies and is an extension of our privacy policy and terms of use.

Offering a 2FA authentication service comes with a high responsibility to ensure security & privacy of our customers' data. Maintaining the confidentiality, integrity and availability of customer data is our top priority.

We work hard on delivering a world-class service by following and exceeding current industry best practices.

Responsible Disclosure Policy

If you are a security expert or researcher and you believe that you have found a security issue in any Daito system or application, we encourage you to contact us at asap.


  • Make a good faith effort to avoid privacy violations, the destruction of data and/or interruption of service.

  • Refrain from any (distributed) denial of service (DDoS) attacks against our infrastructure. This only incurs unnecessary costs and will most likely be shut down by Heroku anyway.

  • Do not perform non-technical attacks such as social engineering, phishing, or physical attacks against our users, employees, or infrastructure.

  • Please create a (free) trial account for your testing & security research. Do not attack or use production accounts.

Our commitment

  • We will acknowledge the receipt of your report within 24 hours.

  • We will investigate the report and work closely with you to ensure we fully understand the issue.

  • We will notify you when the reported security vulnerability is fixed.


Send us an email at with details of the vulnerability that you have discovered. It would be helpful if you could include a detailed description, the steps to reproduce the issue, and the potential impact.

General Practices

Primary Security Principles

  • Security first - All planning & engineering has security as priority #1.

  • Privacy first - We generally aim to collect the smallest amount of data required to provide our service.

These 2 principles determine a lot of our thinking and approach to developing and maintaining Daito. This includes having a business model that is based on subscription revenue. Not your data.

Security practices of the team

  • All team members (whether internal or external) with access to any customer data must sign an NDA.

  • All development hardware with any customer data is fully encrypted and up to date.

  • 2FA is in use for all third-party services that we use.

  • We use long, strong & randomly generated passwords that are never re-used.

Secure software development practices

  • We run automated and manual tests on all code before deploying to production.

  • Access to code and the ability to deploy to test or production environments is highly restricted.

  • We use mature and battle-tested standard libraries ("boring technology").

  • Our code base is automatically scanned periodically for vulnerable dependencies. Vulnerable dependencies are patched and redeployed as soon as possible.

  • All code & infrastructure elements are constantly monitored to detect anomalies early and prevent potential threats.

Ubiquitous Encryption

We use encryption where possible and feasible to ensure confidentiality of your data, even in the case of a breach.

Encryption of data in transit

  • In general: all connections between you and Daito and within the Daito platform are encrypted using https.

  • Strong TLS cipher keys using RSA, 2048 bits.

  • HTTP Strict Transport Security (HSTS).

Encryption of data at rest

  • Databases are encrypted at rest with AES-256

  • Application servers ("Heroku Dynos") are ephemeral and do not contain customer data.

Encryption of data at application level

  • 2FA seeds are encrypted on application level using AES.

Certified Hosting

We rely on Heroku as our hosting provider. Heroku is owned by Salesforce and runs on top of Amazon Web Services.

Amazon's data center operations have been accredited under:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402

  • PCI Level 1

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

Logging & log retention

We log all user & admin actions to ensure a full audit trail. Audit logs are anonymized where possible and feasible and do not include sensitive data like passwords and generated 2FA tokens.

We centrally collect infrastructure and application logs in addition to separate exception and application monitoring & logging.

Logs are retained for the maximum duration allowed per GDPR regulations before they are permanently deleted.


We hold a € 3 Mio financial loss liability insurance (which includes commercial cyber liability insurance) and a € 2 Mio general company liability insurance.

Please contact us at should you have any questions not answered above.