Trust Center
How DeelTrix protects your data room with encryption, granular access, and operational controls—built for due diligence.
Our Security Posture
Clear controls for confidentiality, integrity, and availability
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest using AES-256 (or equivalent). Key management via provider KMS with rotation ≤90 days and access gated by MFA/JIT; all access is audit-logged.
Access Controls
Granular RBAC (Owner, Admin, Contributor, Viewer) at room/folder/file level; view-only modes, download/print blocks, and instant user removal.
Leak Deterrence
Dynamic watermarks with Email + Timestamp to discourage screenshots and redistribution (configurable per room).
Segregation
Logical tenant separation; least-privilege internal access; production access gated by strong authentication and change control.
Auditability
Event logs for access, views, downloads, and Q&A. Heatmaps and time-on-page analytics per page and per file.
Operational Readiness
Daily snapshots + point-in-time recovery; quarterly restore tests; documented incident runbooks; deletion supported upon request subject to backup aging.
Security Controls
Designed for VDR confidentiality with practical safeguards
Identity & Authentication
- 2FA via Email OTP
- Admins can enforce 2FA per room/tenant; recommended default is enabled for admin accounts
- Sessions: 8h idle; refresh 30d; tokens revoked on password/role change
- No SSO is required or mentioned
Authorization
- RBAC: Owner, Admin, Contributor, Viewer
- Document-level permissions for buyer groups (M&A)
- Download/print blocks available
- Link expiry: default 7 days (configurable); admins can revoke at any time
Data Protection
- TLS 1.2+ in transit; encrypted storage at rest (AES-256)
- Watermarks (Email + Timestamp; configurable)
- EU-only primary storage (eu-west-1)
Logging & Monitoring
- Logins, file views, time-on-page, downloads, Q&A events
- Admin alerts optional at document level
- Log retention: 90 days (Standard), up to 1 year (Premium)
Data Retention & Deletion
- Room data retained until owners delete or per policy
- Backups age out on a rolling 35-day schedule
- Deletion on request via support (see below)
Customer/Processor Roles
- Role: Customers are the Data Controller; DeelTrix is the Data Processor for customer content
- Data residency: EU (eu-west-1). Certain operational telemetry/notifications may be processed under SCCs where required
Application Security
Secure development lifecycle and vulnerability management
Secure SDLC
- All changes peer-reviewed
- CI checks include dependency/security scanning
- Infrastructure/configuration as code
Vulnerability Management
- Tracked remediation with severity-based SLAs
- Periodic third-party penetration testing; executive summaries available under NDA
Platform Hardening
- Security headers & Content Security Policy
- Abuse/rate-limit controls and WAF
- Strict file-type handling and sandboxed previews
Infrastructure
Modern cloud stack and EU-only residency
Cloud Hosting
Supabase (SOC 2 compliant) provides managed Postgres and Storage. Primary data region: eu-west-1. Residency: EU-only.
Database & Storage
Postgres via Supabase; object storage via Supabase Storage. Encryption at rest; TLS in transit; provider KMS with key rotation.
Backups & Access
Backups: daily snapshots + point-in-time recovery; retention 35 days; restore tests quarterly. Production access limited to ≤3 named admins with MFA/JIT and audit logging.
Availability & DR
Reliability targets and incident communication
Monitoring
24×7 monitoring and on-call; P1 alerts page within 5 minutes; escalation runbooks maintained.
Disaster Recovery
RTO: 4 hours. RPO: 15 minutes. DR procedures exercised regularly.
Status & Uptime
Uptime target: 99.9% monthly.
How we notify: In-app banner and email to tenant admins for major incidents.
Uptime history: Admins can request this on demand.
Privacy, Data Location & DPA
We minimize what we collect and give you control
Privacy
- We process customer data solely to provide the service (Processor).
- Admins control retention and can request deletion; backups age out in 35 days.
- Data subject requests (GDPR) supported via email; SLA 30 days.
See our Privacy Policy.
DPA, SCCs & Requests
DPA available—email support@deeltrix.com with subject “Security Request”. SCCs are used where required for cross-border transfers. For privacy queries/DSR, email support@deeltrix.com (SLA: 30 days).
Sub-processors
Vendors we use to deliver the service. We list providers that may process customer content or personal data.
Last updated:
| Vendor | Purpose | Data Processed | Access to Customer Content | Location/Region | Transfer Mechanism | Retention | Notes |
|---|---|---|---|---|---|---|---|
| Supabase | Managed Postgres & Storage | Customer content, metadata, logs | Yes — encrypted customer content is stored/processed (DB & object storage) in the EU (eu-west-1); no routine human access; support-only under DPA with least-privilege, audit logging, and MFA/JIT controls. | EU (eu-west-1) | DPA; SCCs if required | Backups on rolling schedule (35 days) | Encryption at rest; TLS in transit; SOC 2 compliant platform |
We’ll notify customers in advance of any material changes to this list.
Responsible Disclosure & Incidents
Security is a partnership—contact us below
Report a Vulnerability
Good-faith research within these guidelines is authorized. Please avoid accessing data that isn’t yours.
- Email: support@deeltrix.com
- Acknowledgement target: within 2 business days
- Breach notification: without undue delay and within legal timelines (e.g., GDPR)
Incident Response
We triage, contain, and notify affected customers per contract and law. Post-incident summaries are available on request.
Certification Roadmap
We’re transparent about where we’re headed
Program Maturity
Policy reviews, vendor risk management, and security exercises continue to expand.
External Testing
Periodic third-party penetration testing; executive summaries can be shared under NDA.
SOC 2 (Planned)
We are SOC 2 Ready and plan to pursue formal attestation. Timeline shared during diligence.