Security
Your deal data, locked down
M&A data is among the most sensitive content a business will ever produce. We treat it that way.
Encryption everywhere
TLS 1.3 for all data in transit. AES-256 for data at rest. Encrypted database backups. No plaintext storage of sensitive content.
Tenant isolation
Each customer's data is isolated at the database and application layer. No shared state, no cross-tenant queries, no "soft" permission boundaries.
No AI training
Your documents are never used to train AI models — ours or our providers'. Anthropic enterprise terms contractually prohibit training on customer data.
Access controls
Role-based permissions on Professional plans. SSO / SAML for Enterprise. Production access restricted via SSO + hardware keys, audited continuously.
Compliance
SOC 2 Type I complete, Type II audit in progress. GDPR and CCPA aligned. DPA available on request for Enterprise customers.
Incident response
On-call rotation, documented runbooks, 72-hour customer notification commitment for any incident affecting your data. Full post-mortem published internally and shared with affected customers.
Infrastructure
Built on hardened cloud infrastructure with security-first defaults.
- Hosting
- AWS us-east-1 and us-west-2. ISO 27001, SOC 2, PCI DSS certified data centers.
- Database
- PostgreSQL with encryption at rest (AES-256), encrypted backups, point-in-time recovery, automated replica failover.
- Document storage
- S3 with server-side encryption (SSE-KMS), versioning enabled, lifecycle policies, access logging.
- Network
- Private VPC, WAF at edge, DDoS protection, no public database access, mTLS for service-to-service communication.
- Monitoring
- Centralized logs (14-day hot / 1-year cold), real-time anomaly detection, 24/7 pager rotation for critical alerts.
Secure development
- →Code review required for every change; no direct production commits.
- →Automated dependency scanning (Dependabot) and CVE monitoring; critical patches deployed within 24 hours.
- →Static analysis (SAST) and secret scanning in CI; builds fail on any exposed credential.
- →Annual third-party penetration tests. Latest report available under NDA to Professional and Enterprise customers.
- →Staging environment mirrors production; no production data ever used in dev or testing.
Report a vulnerability
Found something that looks wrong? We appreciate responsible disclosure. Email security@diligentpath.com with details. We acknowledge within 24 hours and don't take legal action against researchers acting in good faith.