Trust & Security at Daylogue

Daylogue is a pattern journal. It reads the patterns across your check-in entries over time and surfaces them back to you. It does not assess emotions, produce clinical evaluations, or tell you or anyone else what you are feeling.

Daylogue is not therapy and is not a replacement for professional care.

Daylogue operates under eight product-level guardrails that govern what the AI can and cannot do:

• 1No emotion labels appear in reports to organization administrators.
• 2Administrators see participation rates and reported themes only. Numeric mood or stress scores are never surfaced to employers.
• 3Voice check-in includes an explicit disclosure of the data flow before activation.
• 4Individual emotion scores are never shared with employer-context administrators, regardless of any sharing preference.
• 5Numeric mood scores do not appear in employer-facing interfaces.
• 6AI output in administrator-facing contexts uses behavioral and thematic language only, not emotional assessments.
• 7Organization members see a disclosure of exactly what their administrator can and cannot see before their first check-in contributes to team data.
• 8Organization administrators acknowledge a no-coercion policy before activating member invitations.

Full documentation: AI Safety and the AI Safety One Pager.

Daylogue is pursuing SOC 2 Type I certification, with the assessment scheduled for Q2 2026. We are working with an accredited auditor across availability, confidentiality, and privacy trust service criteria. The attestation report will be published on completion.

Our AI safety practices align with ISO 42001 (AI management system standard). The full AI safety policy pack is available to enterprise procurement teams on request.

All data is stored and processed in the United States. Infrastructure runs on AWS us-east-1 and us-west-2. EU data residency is not currently available. Organizations with specific residency requirements should contact security@daylogue.io.

Daylogue follows HIPAA-aligned practices for technical security: access controls, audit logging, and integrity verification. Daylogue does not claim HIPAA compliance as a covered entity and does not hold Business Associate Agreements for general customers.

Healthcare customers with BAA requirements should contact security@daylogue.io.

All AI inference routes through AWS Bedrock. Daylogue's pattern journal reads what you tell it. It does not infer emotions from voice tone, facial expression, or behavioral signals.

• AWS Bedrock does not store, log, or train on your data
• Anthropic (the underlying model provider) never has access to your data. It is isolated within our AWS environment.
• Voice transcription uses Deepgram. Zero data retention per contract.
• EU AI Act Article 50 disclosure: Daylogue's check-in conversations are AI-generated. Users interact with an AI system, not a human. This is disclosed in the product.

Full AI safety documentation

Users in Washington State, Nevada, and Connecticut have additional rights under state consumer health data laws (Washington My Health MY Data Act, Nevada SB 370, Connecticut SB 3). Your check-in data, voice transcripts, and AI-generated wellness narratives are classified as consumer health data under these laws.

Consumer health data rights and policy

Daylogue uses the following sub-processors. All are bound by written confidentiality and security obligations and process data on Daylogue's instructions. Material changes are posted here at least 30 days before they take effect.

• Password minimum 12 characters; common-password and breach-password rejection enabled (HIBP).
• TOTP-based MFA available for all users; required for organization administrators.
• Refresh-token rotation with reuse detection; sessions revoked on password change.
• Row-Level Security on every Supabase table; service-role keys never exposed to clients.
• Aligned with NIST SP 800-63B Rev 4 AAL2 for administrators.

Logs capture access events, API calls, authentication events, and admin actions. Logs do not contain check-in text, voice transcripts, journal vault content, or numeric mood scores. Sentry error reports run through a PHI/PII scrubber (scrubPhiFromObject) before send. Operational logs are retained for 90 days; authentication and admin audit logs are retained for 12 months in a tamper-resistant store.

No log content is used to train any AI model. See the AI Training Transparency page.

Daily encrypted backups with 30-day point-in-time recovery on the primary database. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour. Restore drills run at least twice per year per the DR Restore Test runbook.

Daylogue maintains a written Incident Response Plan and runs tabletop exercises at least annually. We commit to the following breach-notification windows where applicable:

• Within 60 days under the FTC Health Breach Notification Rule.
• Within 72 hours of awareness under GDPR Article 33 (where applicable).
• Within the windows set by Washington (My Health My Data Act), Nevada SB 370, Connecticut SB 3, California (CCPA/CPRA), and other state breach laws as applicable.

Service availability is monitored externally; the public status page will be linked here once published.

You can access or delete your data at any time from Settings → Data & Privacy, or by emailing privacy@daylogue.io. Active records are removed immediately on deletion; backups are purged within 30 days. Verified requests are completed within 45 days (with one 45-day extension where permitted).

Detail and state-specific rights: Consumer Health Data Privacy and Privacy Policy.

Daylogue is not directed to children under 13 and does not knowingly collect personal information from children under 13 (COPPA). The product is intended for users 18 and older. If we learn we have collected data from a child under 13 without verifiable parental consent, we will delete it.

To report a security vulnerability, email security@daylogue.io. We acknowledge reports within 24 hours and respond with a resolution timeline within 5 business days. Machine-readable contact information is published at /.well-known/security.txt (RFC 9116).

In scope

• The Daylogue web application at daylogue.io and its public APIs.
• The Daylogue iOS and Android applications (current production builds).
• Authentication, session management, and account-recovery flows.
• Data isolation between users and between organizations (RLS bypass, IDOR, tenant escape).

Out of scope

• Findings against third-party infrastructure we do not control (Supabase platform, Vercel platform, AWS, Stripe, Deepgram). Report those directly to the vendor.
• Reports requiring physical access, social engineering of Daylogue staff, or denial-of-service.
• Missing security headers, rate-limit hardening suggestions, and best-practice recommendations without a demonstrated impact.
• Self-XSS, clickjacking on pages without sensitive actions, and version-disclosure findings.
• Automated scanner output without proof of exploitation.

Safe harbor

Daylogue will not pursue legal action or contact law enforcement against researchers who, in good faith, follow this policy: report promptly, do not access more data than is necessary to demonstrate the issue, do not modify or delete data, do not degrade the service for others, do not publicly disclose before we have remediated (we follow a 90-day coordinated disclosure norm), and do not violate any applicable law beyond the authorization granted here. This safe harbor does not extend to third-party services listed as out of scope.

Bug bounty

Daylogue does not currently operate a paid bug bounty program. Researchers who follow this policy are recognized below with their permission.

Acknowledgments

No public acknowledgments to date. Researchers credited here with their permission as reports are received and validated.

Need to complete a vendor security review? Submit your questionnaire below and we'll respond within 5 business days.