Learn How You Work
Decision Brief
Meetings
People
Reply Drafting
Smart Scheduling
Learn How You Work
Decision Brief
Meetings
People
Reply Drafting
Smart Scheduling
Learn How You Work
Decision Brief
Meetings
People
Reply Drafting
Smart Scheduling
Learn How You Work
Decision Brief
Meetings
People
Reply Drafting
Smart Scheduling

Security

How we protect your data.

Last updated February 20, 2026

Overview

Dispatch is an AI chief of staff that works inside your existing tools to help with inbox triage, reply drafting, scheduling, and context management. Because these use cases involve sensitive executive communications, security and privacy are core to our product design.

This page summarizes our security program. For full details on how we handle personal information, see our Privacy Policy. This page applies to the Dispatch Services, including our website and application, and the systems we use to operate them.

Security program approach

We design our security program around two practical goals:

  1. Reduce the likelihood of unauthorized access, use, or disclosure.
  2. Reduce impact through monitoring, incident response, and recovery.

We use recognized frameworks as reference points. Our program is structured around the NIST Cybersecurity Framework (CSF) 2.0 lifecycle: Govern, Identify, Protect, Detect, Respond, and Recover. Because Dispatch uses AI to process user-authorized data, we also incorporate AI-specific risk management concepts including accountability, transparency, privacy-enhancing practices, and human oversight.

Technical safeguards

Encryption in transit and at rest

All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256 via our database provider (Convex), including all backups.

Access control and least privilege

Production access is restricted to authorized personnel and systems using role-based access control (RBAC) and least-privilege principles. Administrative access requires multi-factor authentication.

Secrets management

Integration tokens and credentials are stored in a secure secrets store and rotated where supported. OAuth tokens are encrypted at rest and never logged in plaintext.

Monitoring and alerting

We log security-relevant events and monitor for suspicious activity. Alerting is configured for anomalous access patterns, authentication failures, and infrastructure changes.

Secure development practices

We apply secure coding practices, code review, and dependency scanning. Our web application security approach is informed by OWASP guidelines, including protection against injection, authentication weaknesses, and access control vulnerabilities.

Vulnerability management

We prioritize risk-based remediation and maintain a process for triaging and patching security issues. We engage third-party penetration testing to validate our controls.

Meeting recording security

When you use Dispatch’s notetaker feature to record meetings, audio is stored locally on your device. Audio transmitted to transcription providers for processing is sent over TLS-encrypted connections. Transcripts and summaries are processed via AI providers under the same contractual protections that apply to all Customer Content.

Organizational safeguards

Security policies and training

We maintain documented security policies and train team members on secure handling of sensitive information, including data classification, incident reporting, and access management.

Vendor and subprocessor management

We use vetted service providers for hosting and operational tooling, and require contractual protections. Our provider categories include AI model providers, transcription services, email delivery, and error monitoring. We remain accountable for protecting information while it is processed by third parties, and use contractual safeguards to ensure a comparable level of protection. A detailed subprocessor list is available on request.

Integration security and Google OAuth

If you connect Google services:

  • We request the minimum permissions required for the features you enable.
  • We disclose what data we access and why in our Privacy Policy.
  • For sensitive and restricted scopes, we follow Google’s “Limited Use” constraints on how data may be used and transferred, and we comply with secure handling expectations including security assessment requirements where applicable.
  • You can revoke access at any time in your Google account settings. We stop accessing Google data after revocation, subject to short technical delays.

AI-specific security controls

AI assistants that process inbox and calendar data introduce unique considerations. Our program addresses these directly:

Human oversight and user control

Dispatch defaults to “draft and suggest” rather than “act.” AI Features produce drafts for your review before any action is taken.

Dispatch also offers an opt-in automation mode in which actions can be triggered by incoming emails or executed on a schedule by AI agents. Automation requires explicit user activation and configuration. All automated actions are recorded in audit logs that users can review at any time.

Scope limitation

We apply least privilege not just to staff access but also to what connected data and time windows are processed for a given user request. AI Features access only the data necessary to fulfill your specific request.

Training-data boundaries

Customer Content is not used to train shared or general-purpose AI models. We maintain isolation between customers and do not permit cross-customer model training. Our AI model providers are contractually prohibited from using your data for their own training purposes.

Data minimization for AI

We avoid retaining sensitive content longer than necessary. Where possible, we use short-lived processing and store only what is needed for user-facing functionality.

Incident response and breach notification

We maintain an incident response process to detect, contain, investigate, and remediate security incidents, aligned with the NIST CSF “Respond” and “Recover” functions.

  • We assess incidents involving personal information for risk of harm and follow applicable notification requirements, including PIPEDA’s “real risk of significant harm” threshold.
  • We maintain breach records as required by law and document corrective actions.
  • We notify affected customers and users without unreasonable delay when required, and provide guidance on mitigation steps.

Data residency and cross-border processing

Dispatch is based in Canada. Our cloud infrastructure is hosted in North America. We may rely on service providers that process data in Canada and the United States. We remain accountable for protecting information and use contractual safeguards to ensure comparable protection during third-party processing.

A list of subprocessors and primary processing regions is available on request for enterprise customers.

Vulnerability reporting

If you believe you have found a security vulnerability, please report it to security@dispatch.am.

We support responsible disclosure and ask that you:

  • avoid accessing or modifying user data beyond what is necessary to demonstrate the issue;
  • provide enough detail for us to reproduce and fix the issue; and
  • allow reasonable time for remediation before public disclosure.

We will not pursue legal action against security researchers who follow these guidelines and report vulnerabilities in good faith.

Questions?

If you have questions about this page, contact us at security@dispatch.am.

Dispatch Inc. · 460 Doyle Ave, Kelowna, BC V1Y 0C2, Canada