Trust & Security

How Dealdrum protects your deals.

The deals on Dealdrum are sensitive — government award letters, financial statements, beneficial-ownership documents. Here is exactly how that data is stored, who can read it, and what you control.

⛁

Hosting & encryption

Primary database and document storage on Supabase (eu-west-2, London region). TLS 1.2+ in transit, AES-256 at rest. SOC 2 Type II infrastructure underneath.

Verified · 2026

▦

Row-level access control

Every internal table — workflow history, role tasks, verification findings, investment memos — is gated by Postgres row-level security. Operators see internals; originators see only their own deals; investors see only what's been shared with them.

⊕

Private document storage

Uploads go to private buckets — never a public URL. Documents are served through short-lived signed links scoped to the deal's authorized parties.

⊘

Originator-controlled revocation

You decide who reads your deal documents — and you can take that access back at any time, even after a deal closes. Revocation is one click, with an audit-trail entry.

You control this

⌛

Full audit trail

Every stage change, document upload, requirement edit, verification action, and underwriting decision is recorded with timestamp and actor. Originators see their own deal trail; operators see the full history.

⚙

Operator controls

The Dealdrum backoffice is role-gated and 2FA-eligible. The classification engine and Supabase edge functions use service credentials — never your investor's session — and every backend action is logged.

Want the full security policy?

SOC 2 summary, sub-processor list, incident-response playbook, and pen-test history available on request.

Talk to our security lead

Frequently asked

Where is the data physically hosted?

Supabase's eu-west-2 (London) region. Primary Postgres database, document storage buckets, and edge-function compute all run inside that region. We do not replicate to non-EU regions.

Who at Dealdrum can read uploaded deal documents?

Operators with an active backoffice session can read documents on deals routed through Dealdrum's review or verification stages. Service-role credentials used by the classification edge function can read documents during processing only. Every read is logged.

What happens to my documents after a deal closes or is rejected?

Documents stay in your originator workspace by default — you retain control. You can revoke access from any investor who saw them, archive the deal, or request permanent deletion. Audit records are retained for compliance, but the underlying documents follow your instruction.

Do you support BYO-key encryption or a dedicated tenant?

Not on the standard plan. For larger institutional originators or investors, dedicated tenancy and customer-managed keys are on the roadmap and available on a custom engagement — talk to us.

How do you handle a security incident?

Dealdrum follows a documented incident-response playbook: detection, containment, customer notification within 72 hours of confirmed breach, post-incident report. Available on request.