Dealflou
Request access
Trust posture

Built for institutional compliance, by default.

Independent audits, regional data residency and tenant-isolated encryption. Every architectural decision assumes a regulated counterparty and a bet-the-firm data room.

Certifications

Independent attestation, annually.

SOC 2 Type II
Renewed Q1 2026
ISO 27001:2022
Renewed Q1 2026
ISO 27017
Renewed Q1 2026
GDPR · DPA
Renewed Q1 2026
By layer

Defense in depth.

Application

Per-document permissions, per-viewer watermarking on every view, audit beacons, IP allowlists per workspace, SSO + SCIM.

Identity

MFA enforced for all users by default. SSO via SAML & OIDC. SCIM provisioning. Optional FIDO2 hardware keys.

Data at rest

AES-256 envelope encryption. Customer-managed keys via KMS on Enterprise. Per-workspace key isolation and quarterly rotation.

Data in transit

TLS 1.3 minimum. HSTS preload + certificate pinning. Mutual TLS for service-to-service traffic inside the VPC.

Infrastructure

RLS isolation at the database layer — even a careless application query cannot leak cross-firm. Multi-AZ. Daily snapshots, 35-day retention.

Operations

Background checks for engineering. Production access via short-lived SSO tokens. Every production query logged.

Data residency

Your data stays in region.

Each workspace pins to a region. Customer data is resident in Frankfurt, Virginia, São Paulo or Singapore — writes commit only to the home region. Sub-processors are disclosed and DPA-ready, with customer-managed encryption keys available on Enterprise.

PRIMARY
Frankfurt · eu-central-1
EU production traffic by default.
AMERICAS
Virginia · us-east-1
United States · New York law NDAs.
LATAM
São Paulo · sa-east-1
Brazil · LGPD · Portuguese-language NDA.
APAC
Singapore · ap-southeast-1
Singapore · Japan · APAC mandates.
Trust portal

Reports & evidence, under NDA.

Current audit reports, certificates and our data-processing addendum are available to qualified counterparties under NDA. Request any artefact and our security team responds within two business days.

SOC 2 Type II reportRequest →ISO 27001 certificateRequest →Penetration test (Q4 2025)Request →DPA & sub-processor listRequest →
Responsible disclosure

Found a vulnerability?

Email security@dealflou.com with reproduction steps. We acknowledge within 24 hours and ship a fix or mitigation within 7 days for any confirmed issue. Bounty-paid for findings beyond reproducer scope.

security@dealflou.com