Platform Pricing Resources About Request access
Trust centre

Security, compliance, and data protection.

Everything institutional buyers need to evaluate DealSafi’s security posture, compliance certifications, and data handling practices. If it is not here, email trust@dealsafi.ai.

Certification status

Where we are in the certification journey

In progress

SOC 2 Type II

Observation period active covering all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Observation started Month 3
Auditor Prescient Assurance
Report expected Q4 2025
In progress

ISO 27001:2022

Information Security Management System (ISMS) implemented and operational. Stage 1 audit complete. Stage 2 audit scheduled.

Stage 1 audit Complete
Stage 2 audit Month 13
Certificate expected Q1 2026
Active

Cyber Essentials Plus

UK government-backed certification covering firewalls, secure configuration, access control, malware protection, and patch management.

Status Certified
Renewal Annual
Active

GDPR Compliant

GDPR Art. 28 Data Processing Agreement published. EU representative appointed under Art. 27. Two DPIAs completed. DPO appointed.

DPA published Yes
EU Art. 27 Rep Appointed
Transfer mechanism SCCs Module 2
Active

Kenya KDPA Registered

Registered with the Office of the Data Protection Commissioner (ODPC) of Kenya under the Data Protection Act 2019.

ODPC registration Active
Data subject rights 21-day response
Active

Annual Penetration Test

Independent penetration test covering web application, API layer, and AWS infrastructure. All critical and high findings remediated before customer onboarding.

Scope Web + API + Infra
Frequency Annual minimum
Security architecture

How we protect your deal data

Encryption

At rest AES-256
In transit TLS 1.3 minimum
Key management AWS KMS (per-customer)
Privileged docs Separate partition

Data isolation

Database PostgreSQL RLS per deal
Object storage S3 per-deal prefix + IAM
Audit chain S3 Object Lock WORM
Enterprise isolation KMS CMK per account

Access control

MFA Required for all users
SSO / SAML 2.0 Enterprise + Portfolio tiers
RBAC roles 11 roles across 4 tiers
DealSafi staff access Zero standing access

Infrastructure

Cloud provider AWS (US-EAST-1)
EU data residency AWS EU-WEST-1
Uptime SLA 99.5% — 99.9%
Monitoring Datadog 24/7
Sub-processors

Who processes your data on our behalf

We provide 30 days’ notice of any new sub-processor addition. To object to a new sub-processor, contact legal@dealsafi.ai.

Sub-processor
Location
Transfer mechanism
Purpose
Amazon Web Services
USA / EU
AWS DPA + SCCs
Cloud infrastructure, compute, storage, KMS key management, S3 object storage, Object Lock audit chain
Anthropic
USA
SCCs Module 2
AI document extraction and classification from VDR documents. No data retained for model training.
Datadog
USA / EU
SCCs Module 2
Application monitoring, logging, security alerting, and performance tracking
Stripe
USA / EU
SCCs Module 2
Payment processing for subscription billing
Postmark
USA
SCCs Module 2
Transactional email delivery (notifications, alerts, reports)
Vulnerability disclosure

Responsible disclosure policy

DealSafi operates a responsible disclosure programme. If you discover a security vulnerability in our platform or website, we ask that you report it to us before making it public.

We commit to: acknowledging your report within 2 business days; keeping you informed of our progress; not taking legal action against researchers acting in good faith; and giving credit in our security acknowledgements (if desired).

Please do not access, modify, or delete data that does not belong to you. Do not perform actions that could affect service availability.

Report a vulnerability
Documentation available on request

What we share with qualified buyers

SOC 2 Type II Report

Available under NDA to customers and qualified prospects. Expected Q4 2025.

Penetration test executive summary

Scope, methodology, and finding summary. Available under NDA. Full report available to Enterprise and Portfolio customers.

Data Processing Agreement

GDPR Art. 28 DPA including SCCs Module 2, sub-processor list, and technical measures schedule. Available immediately.

Security questionnaire responses

CAIQ, SIG Lite, and custom questionnaires completed within 5 business days for qualified prospects.

Request documentation
Incident response

What happens if something goes wrong

Detection

Datadog monitors all systems 24/7. Anomaly detection alerts the on-call engineer within minutes. All alerts are logged to an incident record.

Target: < 15 minutes detection

Containment and notification

Affected systems isolated. Customer notification within 24 hours of confirmed breach. GDPR supervisory authority notification within 72 hours if required.

GDPR Art. 33 compliant

Recovery and post-incident

Systems restored from clean backups. Post-incident report shared with affected customers within 14 days. Root cause and remediation documented.

Full transparency policy

Questions about our security posture?

Our trust team responds to security enquiries within one business day. We complete standard security questionnaires within five business days.

Email trust@dealsafi.ai Request platform access