Trust & security
Last updated: 30 June 2026
Deepfin handles confidential, commercially sensitive due-diligence material — deal documents, assessments, and the fact that a fund is evaluating a particular company. Protecting it is core to the product. This page summarises how; our full security documentation is available to your security team on request.
How we protect your data
The controls below are implemented in the platform as built today.
EU data residency
All application data at rest is stored in the EU (Hetzner, Germany). When you run an analysis, document content is sent to our AI sub-processors (Anthropic, Google) for processing on their own infrastructure, which is currently US-based.
Encryption everywhere
TLS in transit; at rest, the whole database and its write-ahead log are AES-256 encrypted, every uploaded file, report, and screenshot is AES-128 + HMAC encrypted, and MFA secrets are field-encrypted.
Authentication & access
Microsoft Entra SSO (OIDC) and TOTP multi-factor authentication with step-up for sensitive actions. Role-based access with per-organisation isolation — cross-organisation requests return nothing, not even existence.
Your data never trains AI
Document content is sent to our AI sub-processors (Anthropic, Google) only to perform the analysis you request, under commercial API terms that exclude training on submitted data.
Audit logging & monitoring
An append-only event log captures authentication, document access, and admin actions, with a per-deal access trail and CSV export for your own review.
Backups & recovery
Encrypted, integrity-checked database snapshots with a 7-day retention window, plus incremental mirroring of stored files.
Security questionnaire
Concise answers to the questions security, IT, and compliance reviewers ask most often.
| Question | Answer |
|---|---|
| Where is data hosted? | Application servers, the database, and document storage run with Hetzner in Germany. All application data at rest is in the EU. |
| Where is data processed? | On the EU host, except document content sent to the AI sub-processors (Anthropic, Google), which is processed on their own infrastructure — currently US-based. |
| Is data encrypted at rest? | Yes — the whole database and write-ahead log (AES-256), all files (AES-128 + HMAC), and MFA secrets (field-encrypted). |
| Is data encrypted in transit? | Yes — HTTPS/TLS, terminated by the reverse proxy on the host. |
| Is SSO supported? | Yes — Microsoft Entra ID (OIDC), invite-only linking, per-organisation tenant allowlist; active in production. |
| Is MFA supported? | Yes — TOTP with organisation-wide enforcement, recovery codes, step-up for sensitive actions, and fail-closed email codes. |
| How are passwords stored? | bcrypt with a per-password salt. SSO accounts have no password. |
| How is access controlled? | Roles (member / org-admin), per-organisation query scoping, and per-deal gating; cross-organisation requests return 404. |
| Is there an audit log? | Yes — append-only events (authentication, document access, admin actions), a per-deal access trail, and CSV export. |
| What is the tenant isolation model? | Logical — a shared database with enforced row-level organisation scoping; cross-organisation existence is not disclosed. |
| Which sub-processors are used? | Hetzner, Anthropic, Google, Tavily, Firecrawl, Postmark — see our sub-processors list. |
| Is our data used to train AI models? | No — Anthropic and Google process API data under commercial terms that exclude training on submitted data. |
| What data is sent to each provider? | Document content to Anthropic and Google; only query strings to Tavily; only public URLs to Firecrawl; account names and email addresses to Postmark. |
| What are the backup arrangements? | Encrypted database snapshots, integrity-checked, with 7-day retention, plus incremental file mirroring. |
| How are sessions managed? | Server-side, revocable, opaque tokens; HttpOnly / Secure / SameSite cookies; 30-day absolute expiry. |
| How are users deprovisioned? | Deactivation blocks access immediately and preserves data for audit. |
| Do you hold SOC 2 / ISO 27001? | No certification is currently held; the controls described here constitute our posture for review. |
Related: Privacy Policy · Terms of Service · Sub-processors
Need the full security pack?
We'll share our detailed security documentation — architecture, data lifecycle, and a reviewer questionnaire — with your security team.