Security
Security at DunOps
DNS is load-bearing. Deployments are load-bearing. We treat your credentials and your data like they could end your week if we lost them — because they could.
Encrypted at rest
All workspace data — including provider credentials and OAuth tokens — is encrypted at rest using AES-256.
TLS in transit
Every request between your browser, our API, and connected providers travels over TLS 1.2+. No exceptions.
Per-workspace scoping
Provider credentials are isolated per workspace. A token added in one workspace is invisible to every other workspace.
Read-only by default
New provider connections start in read-only mode. Write scopes are explicit, granular, and revocable from settings.
Full audit log
Every approval, plan, and write the agent makes is recorded with actor, timestamp, and diff — exportable any time.
Backups & recovery
Encrypted database backups run continuously with point-in-time recovery for the last 7 days.
What Dun can & can't do
The agent is powerful, but bounded. These are the rails — they exist in code, not just in policy.
Dun can
- Read your DNS records, domains, and deployment metadata from connected providers
- Propose changes (the agent always drafts a diff and waits for your approval)
- Apply approved writes to providers using the credentials you've authorized
- Record every action in your workspace audit log
Dun cannot
- Apply DNS or infrastructure changes without an explicit human approval
- Use your workspace data to train AI models
- Access workspaces you haven't been added to
- Read raw card details — billing is handled by our payment processor
- Bypass provider permissions you haven't granted
Report a vulnerability
Found a security issue? We'd rather hear from you than read about it later. Send the details to security@Dun.dev — we acknowledge within one business day and respond with a triage update within three.
We do not currently run a paid bounty program, but we publicly credit responsible reporters in our changelog.