Contents
OKR Dash is operated by Waypoint Software Pty Ltd (ACN 695 352 295). We take the security of your data seriously and have implemented a number of technical and organisational measures to protect it.
All communication between your browser and our servers is encrypted using HTTPS/TLS. We enforce HTTPS (HTTP Strict Transport Security) and redirect all plain HTTP traffic.
Data stored in our database and on disk is encrypted at rest by our infrastructure providers (Heroku, Amazon Web Services). Backups are also encrypted.
Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis. We use strong authentication for administrative access to infrastructure.
We never store passwords in plain text. Passwords are hashed using a strong, modern algorithm (bcrypt) before storage.
We regularly review and update dependencies to address known vulnerabilities. We follow OWASP guidance in our development practices.
In the event of a data breach that affects your personal data, we will notify affected users and relevant authorities as required by applicable law, including GDPR Article 33 (notification within 72 hours where required).
All customer data is stored on servers in the European Union (AWS EU region). Data is not routinely transferred outside the EU, except where sub-processors are involved (see Sub-processors below).
We maintain automated, encrypted database backups. Backups are retained for a rolling period to allow recovery from data loss scenarios.
Each Workspace is logically isolated. Users can only access data within the Workspaces they have been invited to join.
We retain your data for as long as your account remains active. If you request deletion of your account, we will delete your personal data within 30 days, except where retention is required for legal purposes (e.g. billing records). You can request account deletion by emailing hello@okr-dash.com.
Waypoint Software Pty Ltd (ACN 695 352 295) is an Australian company. For users in the European Economic Area (EEA) and United Kingdom, we comply with the General Data Protection Regulation (GDPR) and the UK GDPR respectively.
We act in two capacities depending on the data in question:
We rely on the following lawful bases under GDPR Article 6:
If you are located in the EEA or UK, you have the following rights:
To exercise any of these rights, email hello@okr-dash.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with a supervisory authority. If you are in the UK, this is the Information Commissioner's Office (ICO). If you are in the EU, contact your national supervisory authority.
Where we act as a Data Processor for your organisation's content data, we commit to the following:
If your organisation requires a signed Data Processing Agreement (DPA), please email hello@okr-dash.com.
We use the following third-party sub-processors to provide the Service. All are bound by appropriate data processing agreements.
| Provider | Purpose | Data location |
|---|---|---|
| Heroku (Salesforce) | Application hosting and deployment | EU |
| Amazon Web Services (AWS) | Database hosting, storage, and backups | EU |
| Stripe | Payment processing and subscription management | USA |
| SendGrid (Twilio) | Transactional and marketing email delivery | USA |
| OpenAI | AI-powered features (e.g. OKR suggestions, insights) | USA |
| Plausible Analytics | Privacy-friendly, cookieless website analytics (no personal data) | EU |
We will update this list when we add or remove sub-processors. If you have questions about a specific provider, contact hello@okr-dash.com.
For any security or data protection enquiries:
Waypoint Software Pty Ltd
hello@okr-dash.com
To report a security vulnerability, please email hello@okr-dash.com with details. We will acknowledge all reports within 48 hours and aim to resolve confirmed issues promptly.