Security Policy

One Dash Zero™ LLC  ·  Effective Date: 06/14/2026  ·  Last Updated: 06/14/2026

One Dash Zero (“OD0”) builds and operates a multi-tenant AI communications platform. The security of our customers’ data, and of the third-party data our customers connect to OD0, is a first-order priority. This policy describes how we identify, prioritize, and resolve security issues, how to report a vulnerability to us, and how we handle data removal requests.

For the technical architecture behind these commitments — serverless design, encryption at rest and in transit, tenant isolation, and our subprocessor list — see our Security overview at https://onedashzero.ai/security.

Reporting a vulnerability

If you believe you have found a security vulnerability in any One Dash Zero system, please report it to us. We welcome responsible disclosure and will not pursue legal action against researchers who act in good faith.

Email: security@onedashzero.ai
Disclosure file: https://onedashzero.ai/.well-known/security.txt

When reporting, please include enough detail to reproduce the issue (affected URL or endpoint, a description of the behavior, and any proof-of-concept steps). Please do not access, modify, or exfiltrate data belonging to other customers, and please give us a reasonable opportunity to remediate before public disclosure. We acknowledge valid reports and will keep you informed as we work toward a fix.

Vulnerability management and patching

We triage every reported or internally discovered vulnerability by severity and resolve it on the following target timelines:

• High — actively exploitable; risk of data exposure, account compromise, or service compromise — resolved as soon as possible, prioritized immediately ahead of other work.
• Medium — exploitable under specific conditions; limited or indirect impact — resolved within 3 business days.
• Low — minimal practical impact; defense-in-depth or hardening — resolved within 3 weeks.

Severity is assessed using the likelihood of exploitation and the potential impact to customer data and service availability. Where a fix cannot be fully deployed within these windows, we apply interim mitigations to reduce exposure while the permanent fix is developed.

Secure development and operations

• Serverless architecture. OD0 runs entirely on Cloudflare Workers — no host operating systems, virtual machines, or containers for us to patch, and no exposed database ports. This removes whole classes of infrastructure vulnerability by design.
• Encryption in transit. TLS 1.3 across all connections. No unencrypted endpoints.
• Encryption at rest. Customer data is stored in Cloudflare D1, encrypted at rest. Connected third-party credentials (CRM, calendar, e-commerce, and webhook tokens, including OAuth tokens for integrated platforms) are additionally encrypted field-by-field with AES-256-GCM using a key held separately from the database. Platform API keys are stored as encrypted Cloudflare Worker secrets, never in source code. Backups use the same encryption.
• Tenant isolation. Every account can access only its own data through authenticated, session-scoped requests. Isolation is enforced in code and covered by an automated test suite that runs on changes.
• Authentication. Sign-in uses one-time email verification codes — there are no stored passwords to breach. Administrative actions are recorded to an append-only audit log.
• Least-data handling. We request and retain only the data required to operate the features a customer has enabled. We avoid writing sensitive or personal data to application logs.
• Code review and dependency monitoring. Changes are reviewed before release, and dependencies are monitored for known vulnerabilities.

Data handling, retention, and removal

While your account is active, we retain the data needed to provide the service — including contacts, call and message records, transcripts, and the configuration of any connected integrations.

Data subject requests. We support data subject rights — including access, correction, and deletion — for residents of jurisdictions whose laws provide them, including California (CCPA/CPRA), the EU/UK (GDPR), and Canada (PIPEDA).

Deletion. You can request deletion of your account and all associated personal data at any time — in-app via the FONE app (Settings → Delete Account), by email to privacy@onedashzero.ai, or by phone at +1 (762) GET-DASH. Upon receiving your request, we delete your account, profile information, call recordings, transcripts, integration credentials, and other personal data within 30 days, except where retention is required by law (such as financial record-keeping or fraud prevention). Data sourced from connected third-party platforms (for example, contacts, matters, or events retrieved from an integrated practice-management or calendar system) is removed for your account on request and when you disconnect that integration. Encrypted backups age out on the normal rotation — 7-day rolling dumps and 30-day weekly snapshots — and are then deleted automatically, so any residual copies expire within those windows.

Subprocessors. A current list of the third parties that process data on our behalf, including the data categories each receives and their region, is published on our Security overview at https://onedashzero.ai/security.

Data residency. One Dash Zero serves customers in the United States and Canada, and customer data is stored and processed within North America — in Cloudflare’s data infrastructure and the North America–based subprocessors listed on our Security overview. Customers with specific data-residency or compliance-documentation requirements can contact us at privacy@onedashzero.ai to discuss whether One Dash Zero is a fit.

Business continuity and incident response

OD0’s serverless architecture runs across Cloudflare’s global edge network, providing redundancy and DDoS protection without single-server points of failure. In the event of a confirmed data breach affecting customer data, we will investigate, contain, and notify affected customers in accordance with applicable law and contractual commitments.

Compliance and policies

The following policies are publicly available: Privacy Policy, Terms of Service, Refund Policy, and this Security Policy. We continue to harden our platform and update this policy as our practices and the threat landscape evolve.

Contact

Security / responsible disclosure: security@onedashzero.ai
Data subject & deletion requests: privacy@onedashzero.ai
Responsible disclosure file: https://onedashzero.ai/.well-known/security.txt
General: dash@onedashzero.ai