dooMOdooMO
<- Back to dooMO
Trust - Security

Security practices

A practical summary of how Tributary Studios LLC protects dooMO data and supports customer security reviews.

01

Identity and access

  • Firebase Authentication handles user sign-in.
  • Users are scoped by organization role and building access.
  • Backend middleware and Firestore security rules enforce role-based permissions for task, member, building, photo, and organization data.
  • Customer administrators are responsible for inviting, removing, deactivating, and scoping their users.
02

Application and data safeguards

  • TLS protects data in transit.
  • Managed cloud providers provide encryption at rest for database and storage services.
  • Direct client access to Cloud Storage is denied. Uploads and downloads use signed URLs minted by Cloud Functions.
  • Request IDs, diagnostics, and structured error handling support investigation without exposing raw implementation details to users.
  • Production secrets are managed in Firebase/Vercel/Stripe/Resend environments rather than committed to source control.
03

Monitoring and incident response

Tributary monitors application health through provider logs, deployment status, Cloud Functions logs, Firebase/Crashlytics signals, Stripe webhook status, and support diagnostics.

Confirmed security incidents affecting customer data are handled under the Privacy Policy and any signed DPA. We will notify the affected customer without undue delay when required by applicable law or contract.

04

Backups and recovery

Firestore scheduled backups are enabled for the production database. Backups run daily; retention and restore coverage are managed through operational controls and may differ from active product data retention. Customer content export remains available during an active subscription and for a limited post-termination window.

05

Customer responsibilities

  • Use unique accounts for each person.
  • Remove or deactivate users who no longer need access.
  • Assign only the roles and building access each user needs.
  • Do not submit prohibited regulated data unless a signed addendum permits it.
  • Report suspected security issues promptly.
06

Security contact

Security reports should go to support@doomotasks.com.