DealGlass Back to DealGlass
Security & Trust

How DealGlass protects your data

DealGlass, Inc. develops AI-assisted diligence and deal-workflow software. This statement describes the administrative and technical controls we operate, supported by the physical security of our infrastructure providers, to safeguard customer data, and the compliance program under which they are assessed.

Effective June 26, 2026 · Reviewed quarterly

Real-time control status. Our live compliance posture, monitored controls, subprocessors, and audit documentation are published in our Trust Center.
Visit Trust Center →

Compliance

DealGlass is undergoing an independent SOC 2 Type II examination and maintains GDPR readiness. Controls are continuously monitored through a third-party compliance platform, and the current status of every control is available in our Trust Center.

Encryption

  • In transit. All traffic is served exclusively over TLS, with HTTP Strict Transport Security enforced.
  • At rest. Backups and object storage are encrypted with AES-256 in Amazon S3, with cross-region replication.
  • Migration of primary data stores to managed, encrypted-at-rest services is proceeding under our infrastructure roadmap.

Access control

  • Application sessions are authenticated with signed tokens delivered in HttpOnly, Secure cookies; credentials are hashed with bcrypt.
  • Multi-factor authentication (TOTP with recovery codes) is available to all users.
  • Administrative access is granted on a least-privilege basis and subject to periodic review.
  • Customer data is logically separated by workspace.

Application & infrastructure hardening

  • Standard security response headers are enforced (HSTS, X-Content-Type-Options, X-Frame-Options).
  • Rate limiting is applied to authentication and API endpoints.
  • Privileged actions are recorded in append-only audit logs archived to immutable (WORM) storage.
  • Error monitoring is configured to exclude personally identifiable information.
  • Databases are not exposed to the public network; ingress terminates at a TLS reverse proxy.

Resilience

Database backups run on an automated schedule and are encrypted and cross-region replicated. We maintain documented disaster-recovery and incident-response procedures, and monitor production infrastructure for threats on a continuous basis.

Data & privacy

Our processing of personal data, and the subprocessors engaged to deliver the service, are described in our Privacy Policy, Cookie Policy, and the subprocessor register within our Trust Center.

Reporting a concern

Security researchers and customers may report vulnerabilities or security concerns to security@dealglass.com. We acknowledge good-faith reports, coordinate on remediation, and will not pursue legal action against researchers acting in good faith.