Trust Center: DeelTrix

DeelTrix VDR with Sticky Schedule Demo
Schedule Demo
15 Min call for a detailed platform walkthrough!
Professional avatar

Trust Center

How DeelTrix protects your data room with encryption, granular access, and operational controls—built for due diligence.

Last updated: Aug 25
We’re SOC 2 Ready. This page details current controls and our roadmap.
  GDPR Compliant   SOC 2 Ready   Encryption in Transit & At Rest   2FA (Email OTP)   Audit Logs & Access Trails   Watermarking & Download Controls

Our Security Posture

Clear controls for confidentiality, integrity, and availability

Encryption

Data is encrypted in transit (TLS 1.2+) and at rest using AES-256 (or equivalent). Key management via provider KMS with rotation ≤90 days and access gated by MFA/JIT; all access is audit-logged.

Access Controls

Granular RBAC (Owner, Admin, Contributor, Viewer) at room/folder/file level; view-only modes, download/print blocks, and instant user removal.

Leak Deterrence

Dynamic watermarks with Email + Timestamp to discourage screenshots and redistribution (configurable per room).

Segregation

Logical tenant separation; least-privilege internal access; production access gated by strong authentication and change control.

Auditability

Event logs for access, views, downloads, and Q&A. Heatmaps and time-on-page analytics per page and per file.

Operational Readiness

Daily snapshots + point-in-time recovery; quarterly restore tests; documented incident runbooks; deletion supported upon request subject to backup aging.

Security Controls

Designed for VDR confidentiality with practical safeguards

Identity & Authentication

  • 2FA via Email OTP
  • Admins can enforce 2FA per room/tenant; recommended default is enabled for admin accounts
  • Sessions: 8h idle; refresh 30d; tokens revoked on password/role change
  • No SSO is required or mentioned

Authorization

  • RBAC: Owner, Admin, Contributor, Viewer
  • Document-level permissions for buyer groups (M&A)
  • Download/print blocks available
  • Link expiry: default 7 days (configurable); admins can revoke at any time

Data Protection

  • TLS 1.2+ in transit; encrypted storage at rest (AES-256)
  • Watermarks (Email + Timestamp; configurable)
  • EU-only primary storage (eu-west-1)

Logging & Monitoring

  • Logins, file views, time-on-page, downloads, Q&A events
  • Admin alerts optional at document level
  • Log retention: 90 days (Standard), up to 1 year (Premium)

Data Retention & Deletion

  • Room data retained until owners delete or per policy
  • Backups age out on a rolling 35-day schedule
  • Deletion on request via support (see below)

Customer/Processor Roles

  • Role: Customers are the Data Controller; DeelTrix is the Data Processor for customer content
  • Data residency: EU (eu-west-1). Certain operational telemetry/notifications may be processed under SCCs where required

Application Security

Secure development lifecycle and vulnerability management

Secure SDLC

  • All changes peer-reviewed
  • CI checks include dependency/security scanning
  • Infrastructure/configuration as code

Vulnerability Management

  • Tracked remediation with severity-based SLAs
  • Periodic third-party penetration testing; executive summaries available under NDA

Platform Hardening

  • Security headers & Content Security Policy
  • Abuse/rate-limit controls and WAF
  • Strict file-type handling and sandboxed previews

Infrastructure

Modern cloud stack and EU-only residency

Cloud Hosting

Supabase (SOC 2 compliant) provides managed Postgres and Storage. Primary data region: eu-west-1. Residency: EU-only.

Database & Storage

Postgres via Supabase; object storage via Supabase Storage. Encryption at rest; TLS in transit; provider KMS with key rotation.

Backups & Access

Backups: daily snapshots + point-in-time recovery; retention 35 days; restore tests quarterly. Production access limited to ≤3 named admins with MFA/JIT and audit logging.

Availability & DR

Reliability targets and incident communication

Monitoring

24×7 monitoring and on-call; P1 alerts page within 5 minutes; escalation runbooks maintained.

Disaster Recovery

RTO: 4 hours. RPO: 15 minutes. DR procedures exercised regularly.

Status & Uptime

Uptime target: 99.9% monthly.
How we notify: In-app banner and email to tenant admins for major incidents.
Uptime history: Admins can request this on demand.

Privacy, Data Location & DPA

We minimize what we collect and give you control

Privacy

  • We process customer data solely to provide the service (Processor).
  • Admins control retention and can request deletion; backups age out in 35 days.
  • Data subject requests (GDPR) supported via email; SLA 30 days.

See our Privacy Policy.

DPA, SCCs & Requests

DPA available—email support@deeltrix.com with subject “Security Request”. SCCs are used where required for cross-border transfers. For privacy queries/DSR, email support@deeltrix.com (SLA: 30 days).

Sub-processors

Vendors we use to deliver the service. We list providers that may process customer content or personal data.
Last updated:

Vendor Purpose Data Processed Access to Customer Content Location/Region Transfer Mechanism Retention Notes
Supabase Managed Postgres & Storage Customer content, metadata, logs Yes — encrypted customer content is stored/processed (DB & object storage) in the EU (eu-west-1); no routine human access; support-only under DPA with least-privilege, audit logging, and MFA/JIT controls. EU (eu-west-1) DPA; SCCs if required Backups on rolling schedule (35 days) Encryption at rest; TLS in transit; SOC 2 compliant platform

We’ll notify customers in advance of any material changes to this list.

Responsible Disclosure & Incidents

Security is a partnership—contact us below

Report a Vulnerability

Good-faith research within these guidelines is authorized. Please avoid accessing data that isn’t yours.

  • Email: support@deeltrix.com
  • Acknowledgement target: within 2 business days
  • Breach notification: without undue delay and within legal timelines (e.g., GDPR)

Incident Response

We triage, contain, and notify affected customers per contract and law. Post-incident summaries are available on request.

Security In Our DNA

We follow strict data management protocols & safety standards

Program Maturity

Policy reviews, vendor risk management, and security exercises continue to expand.

External Testing

Periodic third-party penetration testing; executive summaries can be shared under NDA.

SOC 2 Compliant

We have SOC Compliant data centers and multi level security such as audit trails, 2FA & session expiry in place to ensure complete data protecion

© DeelTrix — Trust Center.
Scroll to Top