Security

How DueTrail protects your data and your customers.

This page describes the current product controls at launch — intentionally about how the product behaves in practice, not certification language.

Data & compliance

GDPR-aware data handling

Workspace data is scoped per organisation. Users can request data export and account deletion. Privacy policy and DPA are available.

EU-friendly infrastructure

Application and database infrastructure hosted within European regions. No customer data is transferred outside the EU by default.

Hosted billing

Payment details are processed by Paddle (merchant of record). DueTrail never stores credit card numbers or payment credentials.

Security controls

Workflow-level controls that prevent accidental sending and keep access scoped.

New workspaces begin in review mode so customers are not contacted until your team explicitly goes live.

Business data is scoped per organisation and sensitive customer actions stay restricted to the correct workspace context.

Customer portal links are designed for narrow, invoice-level actions rather than broad access to workspace data.

Manual sends, promises, notes, imports, and billing state changes are all visible as a clear operational history.

Checkout, payment methods, renewals, and cancellation management live inside the billing provider flow instead of custom card forms.

Owner and admin actions stay separate from daily collection work so risky controls remain obvious and reviewable.

Before anything goes live

Every workspace starts safe. Your team imports, previews, and tests before any customer is contacted.

Imports create paused cases — zero emails on day one.

Live sending requires an explicit activation step.

The first live reminder is always manual and confirmed.

Promises, notes, and sends stay visible in the timeline.

Questions about security, data handling, or compliance? support@duetrail.com