Data compliance overview

Updated by Jaspreet Bakshi

Where is DotAlign deployed?

DotAlign is deployed directly into your firm's Azure tenant. All infrastructure components and data remain exclusively within the firm's cloud environment. Employees of DotAlign, Inc. do not have access to your firm's DotAlign environment, systems, or data at any time. Access to the solution is strictly limited to authorized employees of the firm in accordance with the firm's identity and access management policies.

What information is stored in our firm's DotAlign environment?

DotAlign processes mailbox metadata—including sender and recipient details, timestamps, calendar event metadata, and business contact card fields. It does not store email or calendar body content, or attachments.

DotAlign transforms this metadata into structured relationship intelligence — such as people, organizations, inferred relationship strength, recency of interaction, and related context — all of which is stored within the firm's Azure tenant. This information remains accessible only to authorized employees of the firm based on defined sharing and access-control rules.

How long is information retained?

Upon deployment, DotAlign indexes a historical look-back period (typically up to two years of email metadata and four years of calendar metadata) in addition to continuously processing new metadata going forward. Indexed metadata remains within the firm's environment until explicitly purged. Administrators may delete the data associated with any individual mailbox (e.g., upon employee departure or in response to a data-subject request) at any time.

How is data organized, and how does DotAlign support GDPR/CCPA compliance?

DotAlign stores metadata in a partitioned architecture, where each mailbox has its own data partition. Composite relationship intelligence views are generated for a team-wide scope, based on applicable sharing policies and user entitlements. These composite datasets refresh periodically to reflect the most current access-control and privacy settings.

DotAlign facilitates GDPR and CCPA obligations by enabling authorized administrators to selectively purge data associated with any user mailbox upon request, ensuring the organization can meet data-subject rights related to erasure and data minimization.

Key compliance & control principles

  • Data residency & ownership: All data remains in the firm's Microsoft Azure environment.
  • No vendor access: DotAlign, Inc. does not access customer environments or data.
  • Metadata-only approach: No message or calendar body content is stored.
  • Granular access control: Data access follows the firm's Identity Access Management framework.
  • Right-to-erasure support: Selective purge capabilities support GDPR/CCPA compliance.

How Did We Do?