Legal Information

Last updated: June 12, 2026

1. Introduction

This Privacy Policy describes how DotEnv Inc. ("DotEnv", "we", "our", or "us"), a corporation organized under the laws of the Province of Ontario, Canada, collects, uses, discloses, and protects personal information in connection with the DotEnv secrets and environment variable management service, including our website, web application, API, command-line tool, and SDKs (collectively, the "Service").

We comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25).

Two roles. For account and billing information of registered users, we act as the data controller. For the content our customers store in the Service (secrets, environment variables, configuration values, and related metadata, collectively "Customer Content"), we act as a data processor / service provider on behalf of the customer organization. Processing of Customer Content is governed by our Data Processing Agreement.

2. Information We Collect

Information you provide:

• Account data: name, email address, and a password (stored only as a one-way hash). Email addresses are verified before full account access.
• Two-factor authentication data: depending on the methods you enable: authenticator app (TOTP) secrets, a verified email address, and/or a verified phone number used to deliver SMS codes.
• Organization data: organization names, team membership, roles, and permissions.
• Billing data: plan selection, billing contact details, and invoice information. Payment card details are collected and stored by our payment processors (see Section 5); we never store full card numbers.
• Communications: messages you send us through the contact form or support channels.
• Customer Content: secrets and environment variables you store. Customer Content is encrypted with AES-256-GCM. Where you use client-managed encryption keys, we hold only ciphertext and cannot read, decrypt, or recover your Customer Content.

Information collected automatically:

• Session and security data: IP address, browser user agent, session identifiers, and trusted-device records used to protect your account.
• Usage and audit data: activity logs recording actions taken in your organization (for example, creating or updating a secret), API access metrics (request counts, response times, token used), and notification preferences.
• CLI telemetry: limited, privacy-preserving usage data from our command-line tool, described in detail (including how to disable it) on our CLI Telemetry page.

We do not use third-party advertising or analytics trackers on the Service, and we do not collect personal information from data brokers.

3. How We Use Personal Information

• Provide, operate, maintain, and secure the Service;
• Authenticate users, deliver two-factor authentication codes, and detect and prevent fraud, abuse, and unauthorized access;
• Process subscriptions, payments, invoices, and seat-based billing;
• Provide customer support and respond to inquiries;
• Send transactional and service communications (verification emails, security alerts, billing notices). Any marketing email is sent only in compliance with Canada's Anti-Spam Legislation (CASL), with consent and a working unsubscribe mechanism;
• Maintain audit logs and version history as a feature of the Service for our customers;
• Monitor performance and diagnose errors (using Sentry error monitoring);
• Comply with legal obligations and enforce our Terms of Service.

4. Legal Bases (GDPR)

Where the GDPR applies, we rely on the following legal bases: performance of a contract (providing the Service you signed up for); legitimate interests (securing the Service, preventing abuse, improving reliability); consent (optional communications and optional features, which you may withdraw at any time); and legal obligation (tax, accounting, and lawful requests).

5. How We Share Personal Information

We do not sell or rent personal information. We share it only with:

• Service providers (subprocessors): vendors that help us operate the Service, such as payment processing, cloud hosting, email delivery, SMS delivery, and error monitoring. The current list, purposes, and locations are published on our Subprocessors page;
• Your organization: administrators of an organization you belong to can see your name, email, role, and activity within that organization;
• Legal and safety: where required by law, court order, or governmental authority, or where necessary to protect the rights, safety, or property of DotEnv, our users, or the public;
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections and notice where required.

6. International Transfers

Our infrastructure providers process data in the United States (primarily AWS, US East region) and other jurisdictions where our subprocessors operate. Where personal information subject to the GDPR is transferred outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum) or other valid transfer mechanisms. Canadian and Quebec residents should note that information may be processed outside Canada and may be accessible to foreign authorities under applicable local law.

7. Retention

• Account data: retained while your account is active and for a reasonable period afterwards as needed for legal, tax, and audit purposes;
• Customer Content, secret version history, and audit logs: retained according to the retention configuration of your organization's plan; when content is deleted or an organization is deleted, associated data is removed through cascading deletion;
• Billing records: retained as required by tax and accounting law (typically 7 years);
• Security logs: retained for a limited period proportionate to their security purpose.

8. Security

Customer Content is encrypted at rest using AES-256-GCM and in transit using TLS. We support server-managed, client-managed, and hybrid key custody modes, role-based access control, two-factor authentication, and comprehensive audit logging. See our Security Policy for details. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your Rights

All users (PIPEDA): you may request access to, correction of, or deletion of your personal information, and may withdraw consent subject to legal and contractual restrictions. You can exercise most of these rights directly in your account settings (profile updates, data export, account deletion).

EEA/UK users (GDPR): you additionally have rights to data portability, restriction of processing, objection to processing based on legitimate interests, and the right to lodge a complaint with your supervisory authority.

California residents (CCPA/CPRA): you have the right to know, correct, and delete personal information, and the right to non-discrimination. We do not sell or share personal information for cross-context behavioural advertising.

Quebec residents (Law 25): you have the rights described above as well as the right to data portability in a structured, commonly used technological format. Our Privacy Officer (see Section 13) is responsible for the protection of personal information.

If a request concerns Customer Content processed on behalf of an organization, we will refer the request to that organization and assist them as required by our Data Processing Agreement.

10. Cookies

We use only strictly necessary cookies (session, security, and "remember me"). We do not use advertising or analytics cookies. See our Cookie Policy.

11. Children

The Service is a business tool and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised "Last updated" date and, for material changes, provide reasonable advance notice (for example, by email or in-app notice). Continued use of the Service after the effective date constitutes acceptance.

13. Contact & Complaints

Privacy Officer, DotEnv Inc.: [email protected] (or [email protected]).

If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner of Canada (OPC), the Commission d'accès à l'information du Québec, your EU/UK supervisory authority, or the California Privacy Protection Agency, as applicable.

Last updated: June 12, 2026

1. Agreement to Terms

These Terms of Service (the "Terms") are a binding agreement between DotEnv Inc. ("DotEnv", "we", "our", or "us"), a corporation organized under the laws of the Province of Ontario, Canada, and the person or entity using the DotEnv service: our website, web application, API, command-line tool, and SDKs (collectively, the "Service"). By creating an account or using the Service you agree to these Terms, our Acceptable Use Policy (incorporated by reference), and our Privacy Policy.

If you use the Service on behalf of an organization, you represent that you have authority to bind that organization, and "Customer" refers to that organization. The Service is intended for business and professional use by users who are at least 16 years old and have legal capacity to contract.

2. Accounts and Security

You must provide accurate, complete registration information and keep it current. You are responsible for all activity under your account and for safeguarding your credentials, API tokens, and encryption keys. We strongly recommend enabling two-factor authentication. Notify us immediately at [email protected] of any unauthorized use or suspected breach of your account.

3. The Service

DotEnv provides secrets and environment variable management, including encrypted storage, team and organization management, role-based access control, version history, audit logging, and programmatic access via API, CLI, and SDKs. We may modify, improve, or discontinue features of the Service; for material reductions in core functionality of a paid plan, we will give reasonable advance notice.

Beta features. Features identified as alpha, beta, preview, or early access are provided "as is", may change or be withdrawn at any time, are excluded from any SLA, and should not be relied on for production workloads.

4. Plans, Fees, and Billing

• Subscriptions. Paid plans are billed in advance on a monthly or annual basis and renew automatically until cancelled. Cancellation takes effect at the end of the current billing period; fees already paid are non-refundable except where required by applicable law.
• Seats and usage. Plans may include a set number of members; additional members may incur per-seat overage charges at the rates displayed at purchase. Plan limits (projects, secrets, API calls, storage, retention) are described on our pricing page.
• Trials. Trial periods convert to paid subscriptions at the end of the trial unless cancelled beforehand.
• Payment processing. Payments are handled by third-party payment processors (such as Stripe). We do not store full payment card numbers. You authorize us and our processors to charge your payment method for all fees due.
• Taxes. Fees are exclusive of applicable taxes (including GST/HST), which you are responsible for, other than taxes on our income.
• Price changes. We may change prices with at least 30 days' notice; changes apply from your next renewal.
• Non-payment. If payment fails, we may apply a grace period, then downgrade, suspend, or restrict the account until balances are settled.

5. Customer Data and Encryption

As between you and DotEnv, you own all secrets, environment variables, and other content you store in the Service ("Customer Data"). You grant us a limited, non-exclusive license to host, store, transmit, and process Customer Data solely to provide and secure the Service and as otherwise permitted by these Terms and the Data Processing Agreement.

You are responsible for the accuracy and legality of Customer Data, for maintaining appropriate backups outside the Service, and for ensuring you have all rights necessary to store it with us.

Client-managed keys: read carefully. Where you choose client-managed (zero-knowledge) encryption, encryption and decryption occur on your side and we hold only ciphertext. We cannot read, decrypt, recover, or reset your Customer Data if you lose your encryption keys. Loss of client-managed keys means permanent loss of the corresponding data, and we have no liability for such loss.

6. Acceptable Use

Your use of the Service must comply with our Acceptable Use Policy. We may investigate suspected violations and may remove content, throttle, suspend, or terminate accounts that violate it.

7. Intellectual Property; Feedback

The Service, including all software, design, and documentation, is owned by DotEnv and its licensors and is protected by intellectual property laws. Except for the limited right to use the Service in accordance with these Terms, no rights are granted to you. You may not copy, modify, reverse engineer (except to the extent permitted by law), resell, or create derivative works of the Service.

If you provide suggestions or feedback, you grant us a perpetual, irrevocable, worldwide, royalty-free license to use it without restriction or compensation.

8. Confidentiality

Each party will protect the other's non-public information with at least reasonable care, use it only as needed to perform under these Terms, and not disclose it except to personnel and advisors bound by confidentiality obligations, or as required by law (with notice to the other party where legally permitted).

9. Third-Party Services

The Service interoperates with third-party services (for example, payment processors and notification integrations). Your use of third-party services is governed by their terms, and we are not responsible for third-party services we do not control.

10. Term, Suspension, and Termination

These Terms apply for as long as you use the Service. You may stop using the Service and delete your account or organization at any time. We may suspend or restrict access immediately if: (a) you materially breach these Terms or the Acceptable Use Policy; (b) fees are overdue beyond any grace period; (c) your use poses a security risk to the Service or others; or (d) suspension is required by law. Where practicable, we will give notice and an opportunity to cure before termination.

Upon termination, your right to use the Service ends. For a period of 30 days following termination (except termination for serious AUP violations), you may export Customer Data using the Service's export features or by contacting support. After that period, we will delete Customer Data in accordance with our retention practices, except where retention is required by law. Sections 5 (license ends, responsibility survives), 7, 8, 11, 12, 13, and 14 survive termination.

11. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY LAW, DOTENV DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE, OR THAT DATA WILL NEVER BE LOST. SECRETS MANAGEMENT IS A COMPONENT OF, NOT A SUBSTITUTE FOR, YOUR OWN SECURITY PROGRAM, AND YOU REMAIN RESPONSIBLE FOR MAINTAINING BACKUPS AND APPROPRIATE OPERATIONAL SAFEGUARDS. SOME JURISDICTIONS DO NOT ALLOW CERTAIN WARRANTY EXCLUSIONS, SO SOME OF THE ABOVE MAY NOT APPLY TO YOU.

12. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW: (A) NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY; AND (B) DOTENV'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE SERVICE OR THESE TERMS WILL NOT EXCEED THE FEES PAID BY CUSTOMER TO DOTENV IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM (OR CAD $100 IF NO FEES WERE PAID). THESE LIMITS DO NOT APPLY TO LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE LAW, INCLUDING LIABILITY ARISING FROM FRAUD, WILFUL MISCONDUCT, OR GROSS NEGLIGENCE.

13. Indemnification

You will defend, indemnify, and hold harmless DotEnv and its officers, directors, employees, and agents from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to: (a) Customer Data; (b) your use of the Service in violation of these Terms, the Acceptable Use Policy, or applicable law; or (c) your violation of any third-party right.

14. Governing Law and Jurisdiction

These Terms are governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of laws rules. The parties irrevocably submit to the exclusive jurisdiction of the courts located in Toronto, Ontario, except that either party may seek injunctive relief in any court of competent jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

15. Export Controls and Sanctions

You may not use the Service in violation of Canadian, U.S., EU, or other applicable export control and sanctions laws, and you represent that you are not located in, or owned or controlled by parties in, embargoed or sanctioned jurisdictions, and are not on any restricted-party list.

16. General

Force majeure. Neither party is liable for delay or failure caused by events beyond its reasonable control. Assignment. You may not assign these Terms without our consent; we may assign them in connection with a merger, acquisition, or sale of assets. Severability; waiver. If any provision is unenforceable it will be modified to the minimum extent necessary, and the remainder stays in effect; failure to enforce is not a waiver. Entire agreement. These Terms, together with the policies they incorporate and any applicable order form, are the entire agreement and supersede prior agreements regarding the Service. Notices. We may give notice via the Service or email to your registered address; legal notices to us go to [email protected].

17. Changes to These Terms

We may update these Terms from time to time. For material changes we will provide at least 30 days' notice by email or in-app notice. Changes take effect on the stated effective date; continued use of the Service after that date constitutes acceptance. If you do not agree, you must stop using the Service before the changes take effect.

Last updated: June 12, 2026

1. What Cookies Are

Cookies are small text files placed on your device by a website. They are widely used to make websites work and to provide security and basic functionality.

2. The Cookies We Use

DotEnv always uses a small set of strictly necessary cookies. These are required for the Service to function: signing in, keeping your session active, and protecting against cross-site request forgery. Because we use no optional cookies, no cookie consent banner is required and none is shown.

Session cookies are set with the HttpOnly and SameSite=Lax attributes, and with the Secure attribute over HTTPS.

3. What We Do Not Use

• No advertising or marketing cookies;
• No third-party analytics cookies (no Google Analytics or similar);
• No cross-site tracking, fingerprinting, or social media pixels.

4. Managing Cookies

You can block or delete cookies in your browser settings. Because all of our cookies are strictly necessary, blocking them will prevent you from signing in and using the Service.

5. Changes

If we ever introduce non-essential cookies, we will update this policy first and implement an appropriate consent mechanism before they are set. Questions: [email protected].

Last updated: June 12, 2026

1. Parties, Roles, and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DotEnv Inc. ("DotEnv", the "Processor") and the customer organization ("Customer", the "Controller") and applies to the extent DotEnv processes personal data contained in Customer Data on Customer's behalf. For the personal data of registered users that DotEnv processes for its own purposes (account, billing, security), DotEnv acts as an independent controller as described in the Privacy Policy.

"Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including PIPEDA, Quebec Law 25, the EU and UK GDPR, and the CCPA/CPRA. Terms such as "personal data", "processing", "controller", and "processor" have the meanings given in those laws.

2. Details of Processing

• Subject matter: provision of the DotEnv secrets and environment variable management service.
• Duration: the term of the Terms of Service, plus the post-termination export and deletion period.
• Nature and purpose: encrypted storage, transmission, organization, versioning, audit logging, and retrieval of Customer Data as instructed through the Service.
• Categories of data subjects: Customer's employees, contractors, and other authorized users; individuals whose data appears in Customer Data.
• Categories of personal data: account identifiers of Customer's users (name, email, role); any personal data Customer chooses to include in stored secrets or configuration values. Customer should not store special categories of personal data in the Service.

3. Processor Obligations

DotEnv will:

• Process Customer Data only on Customer's documented instructions (the Terms, this DPA, and use of the Service's controls constitute such instructions), unless required by law, in which case DotEnv will inform Customer unless legally prohibited;
• Ensure persons authorized to process Customer Data are bound by confidentiality obligations;
• Implement and maintain the technical and organizational measures described in Annex B (consistent with GDPR Article 32);
• Assist Customer, taking into account the nature of processing, with data subject requests and with Customer's obligations regarding security, breach notification, and data protection impact assessments;
• Make available information reasonably necessary to demonstrate compliance with this DPA;
• Notify Customer without undue delay if it considers an instruction infringes Data Protection Laws.

4. Subprocessors

Customer provides general authorization for DotEnv to engage the subprocessors listed on the Subprocessors page. DotEnv will: (a) impose data protection obligations on subprocessors no less protective than this DPA; (b) remain liable for its subprocessors' performance; and (c) provide at least 30 days' advance notice of new subprocessors (via the Subprocessors page and/or email). Customer may object on reasonable data protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rata refund of prepaid fees.

5. International Transfers

Customer Data is processed in Canada and the United States (and other locations listed on the Subprocessors page). Where transfers of EEA/UK personal data to third countries occur, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module Two (controller-to-processor), with Customer as data exporter and DotEnv as data importer, and the UK International Data Transfer Addendum where UK GDPR applies. Annexes A and B of this DPA serve as the corresponding SCC annexes.

6. Personal Data Breach

DotEnv will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and data subjects affected, likely consequences, and measures taken or proposed. DotEnv will cooperate with Customer's reasonable investigation and remediation efforts. Notification is not an admission of fault.

7. Audits

DotEnv will satisfy audit requests first through documentation, security descriptions, and available third-party reports. Where Data Protection Laws grant Customer a mandatory audit right that cannot be satisfied this way, Customer may conduct (directly or via an independent auditor bound by confidentiality) an audit of DotEnv's relevant processing facilities: maximum once per 12-month period, on at least 30 days' written notice, during business hours, without disrupting operations, and at Customer's expense.

8. Return and Deletion

During the term, Customer can export Customer Data using the Service's export features. Following termination, Customer has 30 days to export Customer Data, after which DotEnv will delete Customer Data within 60 days, except where retention is required by law. Where Customer uses client-managed encryption keys, DotEnv holds only ciphertext, and deletion of ciphertext (or Customer's destruction of its keys) renders the data permanently unreadable.

9. CCPA/CPRA Service Provider Terms

To the extent the CCPA/CPRA applies, DotEnv acts as a "service provider": it will not sell or share Customer personal information, will not retain, use, or disclose it for any purpose other than providing the Service (or as otherwise permitted by the CCPA/CPRA), and certifies that it understands these restrictions.

10. Liability and Order of Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service, except where Data Protection Laws prohibit such limitation. In case of conflict, this DPA prevails over the Terms with respect to processing of personal data; the SCCs prevail over this DPA where they apply.

Annex A: Description of Processing

As set out in Section 2. Frequency: continuous, as initiated by Customer through the web application, API, CLI, and SDKs. Retention: per Section 8 and the plan's configured version-history and audit-log retention.

Annex B: Technical and Organizational Measures

• Encryption: Customer Data encrypted at rest with AES-256-GCM; TLS for data in transit; PBKDF2-based key derivation; optional client-managed (zero-knowledge) and hybrid key custody modes;
• Access control: organization-level isolation, role-based access control with custom roles, scoped API tokens with expiry, least-privilege internal access;
• Authentication: verified email accounts, hashed passwords, two-factor authentication (TOTP, email, SMS), trusted-device management;
• Auditability: audit logging of data-affecting actions, secret version history, API access metrics;
• Operations: hosted on established cloud infrastructure (AWS) behind Cloudflare; error monitoring; environment segregation; no payment card data stored by DotEnv;
• Resilience and lifecycle: managed backups by infrastructure providers, cascading deletion on account/organization removal, documented breach response per Section 6.

Enterprise customers requiring a countersigned DPA or negotiated terms: contact [email protected].

Last updated: June 12, 2026

This Acceptable Use Policy ("AUP") governs use of the DotEnv Service and is incorporated into our Terms of Service. We may update it as the Service and threat landscape evolve.

1. Prohibited Uses

You may not use the Service to:

• Violate any applicable law or regulation, or facilitate someone else doing so;
• Store, manage, or distribute credentials, API keys, tokens, or other secrets belonging to third parties without their authorization, including stolen, leaked, or scraped credentials;
• Store or distribute malware, ransomware, command-and-control configurations, or material that supports unauthorized access to systems or data;
• Conduct security testing, penetration testing, vulnerability scanning, or load testing of the Service without our prior written authorization (see our Security Policy for responsible disclosure);
• Probe, interfere with, or disrupt the Service or other customers, including attempting to bypass authentication, access controls, plan limits, or organization isolation;
• Circumvent rate limits, usage metering, or seat counting, including by automated account creation or token sharing across organizations;
• Resell, sublicense, or provide the Service to third parties as a competing or white-labelled offering without a written agreement with us;
• Use the Service's infrastructure for unrelated workloads, such as cryptocurrency mining, proxying, or bulk data scraping;
• Send spam or communications that violate anti-spam laws (including CASL);
• Infringe the intellectual property, privacy, or other rights of any person;
• Misrepresent your identity or affiliation, or impersonate DotEnv staff.

2. API Fair Use

API, CLI, and SDK access is subject to the rate and usage limits of your plan. Automated access must use authenticated API tokens, respect rate-limit responses (HTTP 429), and implement reasonable backoff. We may throttle traffic that degrades the Service for others.

3. Enforcement

We may investigate suspected violations. Depending on severity, we may warn you, remove content, throttle or suspend access, or terminate the account. For serious violations (including security attacks, stolen credentials, or illegal content) we may suspend immediately without notice and may notify law enforcement where appropriate.

4. Reporting Abuse

To report a violation of this AUP, contact [email protected]. For security vulnerabilities, use [email protected] as described in our Security Policy.

Last updated: June 12, 2026

DotEnv Inc. uses the third-party subprocessors below to provide the Service. Engagement of subprocessors is governed by Section 4 of our Data Processing Agreement: we impose equivalent data protection obligations on each subprocessor, remain responsible for their performance, and give at least 30 days' notice before adding a new subprocessor.

Notification of Changes

We update this page at least 30 days before a new subprocessor begins processing Customer Data. To receive change notifications by email, contact [email protected] and ask to be added to the subprocessor notification list. Objection rights are described in the Data Processing Agreement.

Note: with client-managed encryption keys, Customer Content reaches our infrastructure subprocessors only in encrypted form.

Last updated: June 12, 2026

Security is the core of a secrets manager. This page describes the measures DotEnv applies to protect Customer Data. It is an overview, not a contractual warranty; contractual security commitments are in the Data Processing Agreement (Annex B).

1. Encryption

• At rest: all secrets are encrypted with AES-256-GCM (256-bit keys, 12-byte IV, 16-byte authentication tag) before storage;
• In transit: all traffic to the Service uses TLS;
• Key derivation: data keys are derived using PBKDF2;
• Authenticated encryption: GCM authentication tags ensure ciphertext cannot be tampered with undetected.

2. Key Custody Modes

• Server-managed: DotEnv generates and custodies encryption keys, enabling features like server-side search and recovery;
• Client-managed (zero-knowledge): keys are derived and held on your side; encryption and decryption happen in your client (browser, CLI, SDK). DotEnv stores only ciphertext and cannot decrypt or recover your data, including if you lose your keys;
• Hybrid: layered encryption combining both custody models.

3. Access Control & Authentication

• Strict organization-level isolation of data;
• Role-based access control with system and custom roles, enforced by server-side authorization policies;
• Two-factor authentication: authenticator app (TOTP), email, and SMS; trusted-device management;
• Mandatory email verification; passwords stored only as one-way hashes;
• Scoped API tokens with configurable abilities and expiry; OAuth 2.0 with PKCE for authorized integrations.

4. Auditability

• Audit logs of data-affecting actions (who, what, when, before/after state), with plan-based retention and export;
• Secret version history with plan-based retention;
• API access metrics per token.

5. Infrastructure

• Hosted on Amazon Web Services, fronted by Cloudflare for DDoS protection and edge security;
• Payment card data is handled entirely by our payment processors; DotEnv never stores card numbers;
• Error monitoring (Sentry) configured to avoid capturing secret values.

6. Certifications

DotEnv does not currently claim SOC 2 or ISO 27001 certification. We aim to pursue independent attestation as the company grows; this page will be updated when that changes.

7. Responsible Disclosure

If you believe you have found a security vulnerability, email [email protected] with enough detail to reproduce the issue. Please do not access other customers' data, degrade the Service, or publicly disclose before we have had a reasonable opportunity to remediate.

We will not pursue legal action against good-faith security research that respects these rules. We do not currently operate a paid bug bounty program. Security testing of the Service beyond passive observation requires prior written authorization (see the Acceptable Use Policy).

8. Your Part

Security is shared: enable two-factor authentication, scope and rotate API tokens, restrict member roles to least privilege, protect client-managed keys (their loss is unrecoverable), and keep independent backups of critical configuration.

Last updated: June 12, 2026

1. Scope

This Service Level Agreement ("SLA") applies only to organizations on a plan that includes the SLA feature (currently Business and Enterprise). It does not apply to free, trial, or beta usage, and it supplements the Terms of Service.

2. Uptime Commitment

We commit to a Monthly Uptime Percentage of 99.9% for the core Service: the web application, and the API endpoints used to read and write secrets.

Monthly Uptime Percentage = 100% − (minutes the core Service is Unavailable in the calendar month ÷ total minutes in that month × 100%). "Unavailable" means the core Service returns errors or fails to respond for reasons within our control, as measured by our monitoring.

3. Exclusions

Downtime caused by the following does not count as Unavailability:

• Scheduled maintenance announced at least 48 hours in advance (we target off-peak windows), or emergency maintenance required to protect security or integrity;
• Factors outside our reasonable control, including force majeure events, internet backbone failures, and outages of third-party providers (hosting, CDN, payment, email, SMS);
• Customer's own equipment, software, network, or misconfiguration;
• Use that violates the Terms of Service or Acceptable Use Policy, or traffic suspended for security reasons;
• Alpha, beta, preview, or early-access features.

4. Service Credits

For annual subscriptions, the "monthly fee" is one-twelfth of the annual fee. Credits are applied against future invoices, are not refundable as cash, and do not apply to overage or one-time charges.

5. Claim Procedure

To claim a credit, email [email protected] within 30 days of the end of the affected month, including the dates, times, and duration of the incidents and any relevant logs. We will verify claims against our monitoring data and respond within 15 business days. Credits require an account in good standing (no overdue balance).

6. Sole Remedy

Service credits are your sole and exclusive remedy for any failure to meet this SLA. The maximum total credit in any month is 50% of that month's fee. This SLA does not modify the limitations of liability in the Terms of Service.

7. Changes

We may update this SLA with at least 30 days' notice; changes apply from your next renewal and will not reduce the uptime commitment for a period you have already paid for.