Security

DealRoom handles sensitive M&A deal data, confidential business information, and personal identifiable information. Security is not an afterthought — it is built into every layer of the platform. Below is an overview of the measures we take to protect your data.

Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. This includes API requests, document uploads and downloads, authentication tokens, and real-time data synchronization. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.

At Rest

All data stored in our database and file storage is encrypted at rest using AES-256 encryption provided by our infrastructure partners. This includes deal documents, user profiles, chat messages, NDA records, and all other stored data.

Authentication

• OAuth 2.0— users can sign in via Google or LinkedIn, leveraging the security infrastructure of those identity providers. No passwords are stored on our systems for OAuth users.
• One-Time Passwords (OTP)— for email and SMS-based verification, we generate cryptographically random one-time codes with short expiration windows and attempt limits to prevent brute-force attacks.
• Session management— authenticated sessions are managed with secure, HTTP-only tokens. Sessions expire automatically after periods of inactivity.
• Passwordless by default— DealRoom uses passwordless authentication exclusively, eliminating the risk of password reuse, weak passwords, and credential stuffing attacks.

Access Controls

Role-Based Access Control (RBAC)

The platform enforces strict role-based access at every layer. Advisors, buyers, sellers, and contributors each have distinct permission sets. Organization members are further segmented into owner, admin, and member roles with progressively restricted capabilities.

Funnel-Based Gating

Access to deal materials is controlled through a structured progression model. Buyers must complete each step (identity verification, NDA signing, etc.) before accessing the next level of confidential information. This ensures that sensitive data is only revealed to verified, committed participants.

Document-Level Controls

Advisors can configure granular document access policies per deal, including download restrictions, print restrictions, copy prevention, dynamic watermarking (with viewer email and timestamp), and fence-view protection. Every document access, download, and print event is logged with a full audit trail.

Fraud Detection

DealRoom integrates with IPQualityScore (IPQS) to detect and prevent fraudulent access:

• IP analysis— every engagement is checked for VPN, proxy, Tor, and bot activity. Suspicious IP addresses are flagged and risk scores are calculated.
• Email validation— email addresses are checked for disposability, honeypot status, spam trap flags, and deliverability.
• Phone verification— phone numbers are validated for activity status, line type, and spam history.
• Device fingerprinting— browser fingerprints and visitor IDs help identify returning users and detect account sharing or multi-account abuse.
• Risk scoring— each deal engagement receives a composite risk score. Advisors can see risk flags and take action on suspicious buyers before granting access to sensitive materials.

NDA and Signature Integrity

• Electronic signatures include content hashing (SHA-256) to detect any tampering with the signed document.
• Each signature record captures the signer's IP address, user agent, identity provider, and precise timestamp.
• Signed NDA PDFs are generated and stored immutably for legal reference.
• NDA records are retained for 7 years to satisfy legal compliance requirements.

Data Handling Practices

• Data minimization— we collect only the data necessary to provide the Service and detect fraud.
• Field stripping— internal analytics fields, risk scores, and advisor-only data are automatically stripped from API responses sent to non-authorized callers, ensuring buyers never see internal classifications.
• Rate limiting— API endpoints enforce per-user and per-deal rate limits to prevent abuse and denial-of-service attacks.
• Input validation— all user inputs are validated for type, length, and format before processing. URL fields, IP addresses, and file uploads are subject to strict format and size constraints.
• Data export and deletion— users can export all their personal data or request account deletion in compliance with GDPR and CCPA. See our Privacy Policy for details.

Infrastructure

• Convex— our backend and database are hosted on Convex's cloud platform, which provides automatic scaling, real-time data synchronization, transactional guarantees, and encrypted storage. Convex maintains SOC 2 compliance.
• Vercel— our frontend is deployed on Vercel's edge network, providing global CDN distribution, DDoS protection, and automatic HTTPS certificate management.
• Stripe— all payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. No card data touches our servers.

Audit Logging

All significant platform events are logged with timestamps, actor identification, IP addresses, and action details. This includes document access, NDA signatures, buyer progression steps, admin actions, and data modifications. Audit logs are retained for 24 months and are available to organization administrators through the deal activity feed.

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly by contacting us at:

hello@dealroom.so

Please include a detailed description of the vulnerability, steps to reproduce it, and the potential impact. We commit to acknowledging receipt within 48 hours and providing a timeline for remediation. We ask that you give us reasonable time to address the issue before public disclosure.

Questions

For questions about our security practices, contact us at hello@dealroom.so.