Your guests' data is safe with us
DramWell was built by engineers who have operated high-traffic systems at scale. Security is architecture, not an afterthought — every design decision starts with protecting your data and your guests' trust.
Security Architecture
Defense in depth, layer by layer
Data Encryption
All data is encrypted at rest using AES-256 and in transit via TLS 1.3. Database backups are encrypted independently and stored in geographically distributed locations.
- AES-256 encryption at rest
- TLS 1.3 in transit
- Encrypted database backups
- Key rotation every 90 days
SOC 2 Type II
We are actively pursuing SOC 2 Type II certification across the Security, Availability, and Confidentiality trust service criteria. Our controls are audited continuously.
- SOC 2 Type II audit in progress
- Security trust criteria covered
- Availability & confidentiality criteria
- Continuous control monitoring
GDPR & CCPA
DramWell is designed for global compliance. Guest data requests, right-to-erasure workflows, and data residency controls are built into the platform — not retrofitted.
- GDPR Article 17 erasure workflows
- CCPA consumer rights portal
- Data residency controls (US/EU)
- DPA available on request
Infrastructure Security
Hosted on AWS with VPC isolation, WAF protection, DDoS mitigation, and automated vulnerability scanning. Our infrastructure is immutable and rebuilt on every deploy.
- AWS VPC network isolation
- WAF + DDoS protection
- Automated CVE scanning
- Immutable infrastructure
Access Control
Your data, your rules
Granular controls ensure every team member sees exactly what they need — and nothing more.
Row-Level Security (RLS)
Every database query is scoped to the authenticated tenant. It is architecturally impossible for one customer's data to leak to another — enforced at the database layer, not just the application layer.
Role-Based Access Control
Staff, managers, and owners have granular permissions. Owners control exactly what each role can view, edit, or export. Every permission change is logged with a timestamp and actor.
Audit Logging
Every sensitive action — data export, permission change, AI configuration update — is logged immutably. Logs are retained for 12 months and available to operators on request.
Anomaly Detection
Unusual access patterns trigger automatic alerts. Logins from new devices, bulk exports, and off-hours access are flagged and reviewed by our security team.
Privacy by Design
We collect only what we need to operate the platform. Guest data is never sold, never used to train third-party models, and never shared with advertisers. When a guest requests erasure, we delete every record — not just the profile.
Security FAQ
Common questions from operators evaluating DramWell.
Where is my data stored?
All data is stored in AWS us-east-1 by default. EU-based customers can request EU data residency (Frankfurt). Backups replicate to a secondary region for disaster recovery.
Who at DramWell can access my data?
Access to production data is restricted to a small number of senior engineers, requires two-factor authentication, and every access is logged. We do not use customer data for training AI models without explicit opt-in.
How do I submit a GDPR erasure request?
Operators can initiate guest erasure directly from the dashboard. For account-level erasure requests, email privacy@dramwell.ai — we process all requests within 72 hours.
Do you share data with third parties?
We share data only with subprocessors required to operate the platform (AWS, Stripe, ElevenLabs for voice). A full list of subprocessors is available in our Data Processing Agreement.
Is DramWell PCI DSS compliant?
DramWell is a SAQ-A compliant merchant. We do not store, process, or transmit raw card data — all payments are handled by Stripe, which is PCI Level 1 certified.