Zero Servers. Minimal Attack Surface.

Built on Cloudflare’s global edge network. A serverless architecture removes whole classes of risk — no host OS or VMs to patch, no exposed database ports — and every layer is covered by the controls described below.

One Dash Zero Security

Serverless by Design

A serverless architecture removes whole classes of risk — no host OS to patch, no VMs or containers to misconfigure, no exposed database ports. Application logic runs in isolated Cloudflare Workers sandboxes.

Zero-Server Architecture

One Dash Zero runs entirely on Cloudflare Workers — serverless edge computing. No servers, VMs, or containers to hack, patch, or misconfigure. All code runs in isolated V8 sandboxes with zero shared state.

Global Edge Network

Protected by enterprise-grade DDoS mitigation, Web Application Firewall, and a global edge network spanning 300+ data centers worldwide.

Encrypted Database

Data is stored in Cloudflare D1, encrypted at rest. No exposed database ports and no direct internet access to the database.

Encryption

Every Byte, Encrypted

TLS 1.3 everywhere — All data in transit is encrypted. There are no unencrypted connections, no exceptions.

Processed on Cloudflare Workers, not traditional servers — Your data is processed by One Dash Zero application logic running on Cloudflare Workers. There are no traditional servers or VMs in the path, but all processing happens under the controls described on this page: TLS 1.3 in transit, encryption at rest, field-level encryption of connected credentials, and tenant-scoped access.

Field-level encryption at rest — Beyond Cloudflare’s platform encryption of the database, the third-party credentials you connect (e-commerce, CRM, calendar, and webhook tokens) are encrypted field-by-field with AES-256-GCM before they reach the database, using a key held as a Worker secret separate from the database. Platform API keys are stored as encrypted Cloudflare Worker secrets, never in source code. Backups use the same encryption.

AES-256-GCM
Token & credential encryption
TLS 1.3 in transit
Encrypted at rest
Field-level credential encryption

Authentication & Access Control

No Passwords Stored

Login uses one-time email verification codes, completely eliminating the risk of password database breaches. Nothing to leak, nothing to crack.

Secure Sessions

Session cookies use HttpOnly, Secure, and SameSite=Strict flags to prevent interception and cross-site attacks. Sessions expire automatically.

Tenant Isolation

Each account can only access its own data through authenticated, session-scoped API calls. Isolation is covered by an automated test suite (Playwright tenant-isolation tests) that runs on changes.

Sign-in uses email one-time codes — there are no passwords to breach, and every login requires access to your email account. Two-factor authentication via authenticator app (TOTP) is available.

Administrative audit trail — administrative actions such as account changes, agent deletions, and access-token issuance are recorded to an append-only audit log; entries are never overwritten.

📞 Talk to Dash — Try It Free

AI & Voice Processing

How your calls and chats are processed — and who processes them.

🤖 Voice Calls

Processed through ElevenLabs (voice AI) and Twilio (telephony — SOC 2, HIPAA-eligible, PCI DSS). Inbound post-call webhooks are HMAC-signature-verified (rejected fail-closed on a missing or invalid signature), and each agent’s tool callbacks authenticate with a per-agent encrypted credential — so one tenant’s agent cannot invoke another tenant’s tools.

🛡️ Prompt-Injection Resistance

Every voice and chat agent runs a hardened system-prompt block (“Scope & Integrity”) that refuses jailbreak attempts — word-substitution, letter and homophone games, and code-word tricks — while still allowing legitimate read-backs of a caller’s name, phone, email, or booking code. Shipped across all agents, on both phone and web surfaces.

💬 Chat & Text AI

Powered by Anthropic’s Claude (SOC 2 Type II). Conversations are processed in real time and, per Anthropic’s commercial terms, are not used to train models. ElevenLabs voice processing is governed by its vendor terms.

🎤 Call Recordings

Disabled by default. When enabled, recordings are stored securely and accessible only to the account owner. Configurable retention periods.

These are real, shipped controls — not a claim of comprehensive AI safety. We continue to harden agent behavior as the threat landscape evolves.

PCI Level 1

Payment Security

Stripe handles all payment data. One Dash Zero never sees, processes, or stores credit card numbers. All payment processing is handled by Stripe, a PCI Level 1 certified payment processor.

Subscription management, billing, and refunds are processed entirely through Stripe’s secure infrastructure. No financial data ever touches our systems.

✓ PCI Level 1 Certified
✓ No Card Data Stored
✓ Stripe-Powered Billing

Subprocessors

The third parties that process data on our behalf.

Vendor Purpose Data categories Region Certifications / DPA
CloudflareCompute, database (D1), storage, CDN/DDoSAll customer data, at rest & in transitUS (global edge)SOC 2 Type II, ISO 27001, PCI DSS
Anthropic (Claude)LLM — chat & contentChat messages, business profile, agent promptsUSSOC 2 Type II; no training on API data (commercial terms)
ElevenLabsVoice AI (phone & web)Call audio, transcripts, agent configUSDPA available; see vendor terms
TwilioTelephony, SMS, WhatsAppPhone numbers, message bodies, recording URLsUSSOC 2, HIPAA-eligible, PCI DSS
SendLayerTransactional emailRecipient email & name, message bodyUSTLS; DPA per vendor
StripePayments, subscriptionsBilling references (no card numbers)USPCI DSS Level 1, SOC 2
OpenAIImage generation (gpt-image-2) — optional feature, not in the core receptionist data flowOperator-typed text prompts onlyUSAPI data not used for training (per vendor)
Google PlacesBusiness address lookupBusiness search text queriesUSGoogle Cloud terms / DPA
Google CalendarAppointment bookingEvent subjects/times, attendee emailsUSGoogle Workspace terms / DPA
Microsoft Graph (Outlook)Appointment bookingEvent subjects/times/locationsUSMicrosoft terms / DPA
Cal.comAppointment availabilityBookings by date rangeUSVendor terms / DPA
Meta (Facebook/Instagram)Messenger/IG inbound, social publishingInbound message text, page post contentUSMeta platform terms
Apple (APNs)Push notifications (iOS)Device push tokens, notification payloadsUSApple Developer terms / DPA

Region reflects each subprocessor’s primary jurisdiction. One Dash Zero stores customer data within North America (primarily the United States); some subprocessors are global providers and may process data through infrastructure outside the region in the course of delivering their service. Retell AI is no longer used (voice is ElevenLabs). Northwest Registered Agent is a corporate registered agent, not a data subprocessor.

Compliance & Privacy

Privacy Rights

We support data subject requests — access, deletion, and correction — for California (CCPA/CPRA) and EU/UK (GDPR) residents. See our data deletion process below.

Data Deletion

Account data is retained while your account is active. Deletion requests are currently handled manually, case by case — a self-serve erasure workflow is in development. Production data is removed on request; encrypted backups age out on the normal rotation (7-day rolling dumps, 30-day weekly snapshots) and are then deleted automatically.

Transparency

Our Privacy Policy and Terms of Service detail exactly what data we collect and how it is used. No fine print, no surprises.

Have Security Questions?

We’re happy to answer any security questions, provide additional documentation, or discuss your compliance requirements.

Responsible disclosure — Security researchers can report vulnerabilities to security@onedashzero.ai; we acknowledge reports and remediate. See our security.txt.

Email Security Download Security PDF

security@onedashzero.ai  ·  +1 (762) GET-DASH