Data Security Policy

01Introduction and scope

Dizibook ("Dizibook," "we," "us," or "our") is committed to protecting the security, confidentiality, and integrity of information processed through our platform. This Data Security Policy explains the technical, administrative, and organizational measures we use to safeguard data collected, stored, and processed as part of our services.

Dizibook is operated by Dizignate LLC, a limited liability company registered in the State of Wyoming, United States of America (registered office: 30 N Gould St, Ste R, Sheridan, WY 82801, USA). Operations and customer support are partly delivered by team members located in India.

This Policy applies to:

• Customer Data stored within the Dizibook platform
• Personal information collected from website visitors
• CRM records, leads, and contact data uploaded by Customers
• Communication data (SMS, email, voice calls, call recordings)
• AI Employee conversation logs and inputs
• Account, subscription, and billing metadata

This Policy does not apply to third-party platforms or services that may integrate with or be linked from Dizibook. Those services are governed by their own security and privacy policies.

02Shared responsibility model

Data security is a shared responsibility between Dizibook and you, the Customer.

2.1 Our responsibilities

• Securing the infrastructure and platform we control
• Implementing reasonable technical and organizational safeguards
• Vetting and monitoring sub-processors
• Limiting internal access to Customer Data on a need-to-know basis
• Maintaining system availability, integrity, and incident-response procedures
• Notifying you of confirmed security incidents that affect your data

2.2 Your responsibilities

• Protecting your login credentials (use strong, unique passwords)
• Enabling and using multi-factor authentication where available
• Managing user access and permissions within your account
• Promptly revoking access for former team members
• Ensuring lawful collection and use of Customer Data (including SMS consent and CAN-SPAM compliance)
• Reporting suspicious activity, suspected breaches, or security concerns to us promptly

03Data classification

Dizibook processes the following categories of data:

• Account Data: User profiles, business names, login credentials (passwords stored as one-way hashes), authentication tokens.
• Business Data: CRM records, leads, contacts, pipelines, custom fields, automation configurations, AI Employee scripts and prompts.
• Communication Data: SMS messages, email content, voice calls, call recordings (when enabled), AI Employee conversation transcripts.
• Billing Data: Subscription status, invoices, payment metadata. Full credit card numbers are never stored by Dizibook — they are handled directly by Stripe.
• Technical Data: Logs, IP addresses, browser/device fingerprints, session activity, audit trails.

04Customer data ownership

You retain all ownership rights in the data you upload, enter, or generate through the Services ("Customer Data"). We act as a data processor (or "service provider" under CCPA) on your behalf.

You can export your Customer Data at any time through the platform's standard export tools or by request. Upon cancellation, you have a wind-down period (typically 30–60 days) to export your data before it is deleted, subject to legal retention requirements. See Section 15 for details.

05Infrastructure security

5.1 Hosting

The Dizibook platform is hosted on enterprise-grade cloud infrastructure managed through our underlying SaaS platform partner (HighLevel / LeadConnector LLC) and their hosting providers. These environments include physical security, redundant power and networking, and continuous monitoring.

5.2 Network security

Network-level safeguards include:

• Firewalls and network segmentation
• Distributed denial-of-service (DDoS) protection at the platform level
• Continuous traffic monitoring and intrusion detection
• Restricted administrative access via secure channels

06Encryption

6.1 Data in transit

All data exchanged between users and the Dizibook platform — including login traffic, API calls, and communications — is encrypted using TLS 1.2 or higher. Older protocols (SSL, TLS 1.0/1.1) are disabled.

6.2 Data at rest

Stored data — including database records, file uploads, backups, and call recordings — is encrypted at rest using AES-256 or equivalent industry-standard algorithms where applicable.

6.3 Credentials

User passwords are stored as salted one-way hashes using modern hashing algorithms. Plain-text passwords are never stored or accessible to Dizibook personnel.

07Access controls

7.1 Internal access (Dizibook personnel)

• Access to Customer Data is restricted to authorized personnel only.
• Access is granted on a strict need-to-know basis.
• All internal access is logged and subject to periodic review.
• Personnel with privileged access are required to use multi-factor authentication and secure devices.
• Access is automatically revoked when team members leave or change roles.

7.2 Customer access

Within your Dizibook account, you can:

• Create and manage user roles and permissions
• Assign granular access to features, contacts, and pipelines
• Revoke access for any user at any time
• Audit user activity through the platform's logs

You are responsible for managing access within your organization, including revoking access for departed team members.

08Authentication and MFA

• User authentication is required to access the platform.
• Multi-factor authentication (MFA) is supported and strongly recommended for all Customer accounts.
• MFA is enforced on all internal Dizibook administrative accounts.
• Login attempts are rate-limited; suspicious patterns trigger additional verification or temporary account lockout.

We recommend the following best practices:

• Use strong, unique passwords (managed via a password manager)
• Enable MFA on all user accounts
• Avoid sharing accounts — create separate users with appropriate permissions
• Revoke access promptly when team members leave

09Backups and availability

• Automated backups are performed regularly as part of platform operations.
• Backups are encrypted and stored securely.
• Backup retention periods are designed to support recovery in the event of system failure or accidental data loss.
• We perform regular backup-restore testing to validate integrity.

While we take reasonable measures to maintain availability, we do not guarantee uninterrupted service. See Section 18 (Limitations) and our Terms of Service §22.

10Sub-processors and vendor security

Dizibook relies on a small set of trusted third-party providers ("sub-processors") to deliver the Services. Each sub-processor is selected based on its security posture, reliability, and compliance with industry standards. Each is bound by appropriate data-protection terms.

This list aligns with the sub-processor list in our Privacy Policy §9. We monitor sub-processor performance and security and review this list periodically. Customers can request the most current list at [email protected].

11Communication data security

For SMS, email, and voice services:

• Messages and call logs may be stored to enable platform functionality (history, search, automation, AI training based on Customer configuration).
• Call recordings are stored only when explicitly enabled by the Customer.
• Carrier-level delivery and behavior is outside our control — delivery is not guaranteed (see Terms of Service §14).
• Customers are responsible for obtaining valid consent before sending messages and for compliance with TCPA, CAN-SPAM, and applicable laws.

12AI Employee data security

The AI Employee feature processes lead and customer messages in real time to generate replies, qualify inquiries, and book appointments based on your configuration.

• AI Employee conversations are stored within your account for the duration of your subscription, subject to the retention rules in Section 15.
• Conversation data is encrypted in transit and at rest, just like other Customer Data.
• AI processing is performed through our underlying platform partner (HighLevel) and is governed by their data-handling commitments.
• Customers control AI Employee scripts, prompts, and configuration — Dizibook does not author the AI's responses on your behalf.
• Customers are responsible for ensuring lawful disclosures to their contacts where AI is involved (e.g., bot-disclosure laws in certain jurisdictions).

13Payment security

All payment transactions are processed through Stripe, a PCI DSS Level 1 certified payment processor.

• Dizibook does not store or process full credit or debit card numbers.
• Card data is collected directly by Stripe via secure tokenization — your card details never touch Dizibook servers.
• Payment metadata visible to Dizibook is limited to transaction status, last 4 digits of the card, brand, and expiration (used for billing administration only).
• Stripe maintains its own enterprise-grade security and compliance program — see Stripe's Privacy Policy for details.

14Incident response and breach notification

14.1 Incident response procedures

We maintain documented procedures to identify, contain, investigate, and mitigate security incidents. Incidents are triaged by severity, and our response includes containment, eradication, recovery, and post-incident review.

14.2 Breach notification

If we confirm a data breach involving Customer personal information, we will:

• Take reasonable steps to contain and mitigate the incident
• Notify affected Customers without undue delay, and where required by applicable law (e.g., GDPR), within 72 hours of confirmation
• Notify regulatory authorities as required by applicable law
• Provide information about the nature of the incident, data potentially affected, mitigation steps taken, and recommended actions

Notifications will be sent to the email address associated with your account. You are responsible for keeping that address current.

15Data retention and deletion

Customer Data is retained only as long as necessary to:

• Provide the Services
• Meet legal, tax, and regulatory obligations
• Resolve disputes and enforce agreements

Upon cancellation:

• Customer Data is retained for a wind-down period of typically 30–60 days to allow export and recovery, unless a longer period is required by law.
• After the wind-down period, Customer Data is deleted or anonymized.
• Backup retention may extend beyond this window for disaster-recovery purposes; backups are eventually purged in accordance with backup retention schedules.

Customers may request earlier deletion subject to legal and contractual requirements by emailing [email protected].

16User data rights

Depending on your jurisdiction and applicable law, you may have rights to access, correct, delete, restrict, port, or object to processing of your personal information. Full details are in our Privacy Policy §13.

Requests can be submitted to [email protected]. We respond within the timeframe required by applicable law (typically 30 days).

17International data transfers

Dizibook operates internationally. Dizignate LLC is a U.S. entity, and operations and customer support are partly delivered by team members located in India. As a result, Customer Data may be processed or stored in jurisdictions outside the user's country of residence, including the United States and India.

For users located in the European Economic Area, the United Kingdom, or other regions with data-transfer restrictions, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent safeguards) where required. We take reasonable steps to protect data in accordance with this Policy regardless of where it is processed.

18Limitations of security

You acknowledge and agree that:

• Absolute security cannot be guaranteed
• Use of the Services is at your own risk
• You are responsible for the security practices within your own organization
• Dizibook's liability for security incidents is limited as set forth in our Terms of Service §23

19Reporting security issues

If you discover a vulnerability, suspect a security incident, or have any security-related concern about Dizibook, please report it promptly:

Please include as much detail as possible: a description of the issue, steps to reproduce, screenshots, and any other supporting information. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

We appreciate responsible security disclosure and will work in good faith with researchers and Customers who report issues.

20Policy updates

We may update this Data Security Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated by email to account administrators where reasonably possible.

Continued use of the Services after changes are posted constitutes acceptance of the revised Policy.

21Governing law

This Data Security Policy is governed by the laws of the State of Wyoming, United States, without regard to conflict-of-law principles. Any dispute arising from this Policy shall be resolved in the courts of Wyoming, except where applicable law provides otherwise.

22Contact information