Skip to main content

Security

Deal documents are some of the most sensitive files in finance. Here is exactly how we protect them and what we have not yet certified.

Data encryption

Encryption at rest

All documents and database rows are encrypted at rest using AES-256, managed by our cloud database vendor (Supabase, on AWS).

Encryption in transit

Every connection between client, edge, API, database, and AI provider runs over TLS 1.3. HTTP requests are HSTS-pinned.

BYOK (Enterprise)

Enterprise customers may supply their own KMS-managed envelope key for object storage. Key rotation is customer-controlled.

Tenant isolation

Our backend runs on Supabase (managed Postgres on AWS). Every multi-tenant table is protected by Row-Level Security policies evaluated by Postgres on every query, including those issued by background workers.

  • Postgres Row-Level Security on every multi-tenant table
  • Org-scoped storage buckets — no cross-tenant object access is reachable
  • Per-org service-role tokens scoped at issue time, never shared between requests
  • Background jobs inherit the originating user’s org context, never elevated

Subprocessors

We use a small number of vendors to run the service. Each is named below so you can map them in your own vendor risk review.

  • Supabase — managed Postgres database and object storage. Sub-vendor: AWS (us-east-1; EU regions available on Enterprise).
  • Vercel — edge network and serverless runtime for the web app.
  • Anthropic— language model API for document analysis. Anthropic's commercial API terms forbid using submitted content to train their models.

Compliance posture

We name what we have, what we are working toward, and what we do not yet do. Buyers should be able to grade us honestly.

For the full feature inventory tied to each control — 2FA, audit chain, residency, SCIM, ethical walls, DRM — see our compliance features.

SOC 2 Type II

In progress — target Q3 2026

Audit window opens Q2 2026 with a Big Four-tier auditor. We do not currently hold a SOC 2 Type II report. Type I letter expected end of Q2 2026. Request the latest readiness assessment or Type I letter (when available) under NDA at security@dataroomsnap.com.

Request a copy under NDA →

GDPR

Aligned

Article 17 right-to-erasure honored within 30 days. Data Processing Agreement available at /dpa. EU data residency available on Enterprise.

CCPA

Aligned

California consumer requests handled through the same erasure and access workflow as GDPR.

HIPAA

Not in scope

DataRoom Snap is not designed for protected health information and does not currently sign BAAs.

Security program

  • Annual third-party penetration test (most recent: Q4 2025, no critical findings)
  • Continuous dependency vulnerability scanning on every push
  • Least-privilege production access with hardware-key MFA for all engineers
  • Documented incident response plan with 24-hour notification SLA per DPA
  • Background checks for all employees with production data access
  • Quarterly access reviews and offboarding within 4 hours of separation

Data retention & deletion

Default retention

Uploaded documents and analysis output are retained for the life of the org subscription, then deleted within 30 days of cancellation. Audit logs are retained for 7 years for regulatory and forensic purposes.

On-demand erasure

Org admins can permanently delete any document, analysis, or the entire workspace from the dashboard. Cryptographic shredding completes within 24 hours; backup expiry within 30 days.

Security questionnaire or pentest letter?

Email security@dataroomsnap.com and we will respond within two business days.

View Data Processing Agreement