Can I get a copy of your security pack?

Yes. Email security@dataroomsnap.com and reference "Security Pack Request". We respond within two business days with our completed CAIQ, latest readiness assessment, pen-test letter, and DPA. Materials are shared under NDA.

Do you have a Data Processing Agreement?

Yes. View our standard DPA at /dpa. Custom terms are available on Enterprise contracts.

Where is my data stored?

By default, AWS us-east-1 via Supabase. EU residency in AWS eu-central-1 is available on Enterprise.

Is my data used to train AI models?

No. We use the Anthropic Claude API for orchestration and Voyage AI for embeddings. Both providers contractually exclude submitted content from model training. See /trust/ai-governance for the full data-handling chain.

When will SOC 2 Type II be issued?

The audit window opens Q2 2026. Type I letter is expected end of Q2 2026. Type II report targets Q3 2026, contingent on the six-month observation period. Auditor to be announced once engagement is signed.

How do I report a vulnerability?

Email security@dataroomsnap.com with reproduction steps. We acknowledge within one business day and triage within five. We do not pursue legal action against good-faith researchers.

Trust Center

How we protect deal data, what we have certified, what is in progress, and what is still planned. Buyers should be able to grade us honestly.

Request security pack AI governance

Certifications and frameworks

We name what we have, what we are working toward, and what we do not yet do.

SOC 2 Type II

In progress

Audit window opens Q2 2026 with a Big Four-tier firm. Target Type II report Q3 2026. Type I letter expected end of Q2 2026. Auditor to be announced once engagement is signed.

ISO 27001

Planned

Scoping in Q4 2026, certification window targeted for 2027. Controls inherited from the SOC 2 program where overlap exists.

ISO 42001 (AI management)

Planned

Programme follows ISO 27001. See our AI Governance page for the controls already in place and the gaps the formal programme will close.

View AI governance

GDPR

Aligned

Article 17 right-to-erasure honored within 30 days. Standard Data Processing Agreement at /dpa. EU data residency available on Enterprise.

CCPA

Aligned

California consumer requests handled through the same access and erasure workflow as GDPR.

HIPAA

Not in scope

DataRoom Snap is not designed for protected health information and does not sign BAAs.

Encryption

Specifics, not adjectives.

At rest

AES-256 for all documents and database rows. Managed by Supabase on AWS using KMS-backed envelope encryption. Storage buckets and database disks are encrypted before any byte is written.

In transit

TLS 1.3 between client, edge, API, database, and AI providers. HSTS-pinned with a one-year max-age and includeSubDomains. No plaintext request paths exist.

Key management

KMS-managed envelope keys with automatic rotation. Enterprise customers may supply their own envelope key (BYOK); rotation is then customer-controlled.

Sub-processors

Vendors that process customer data on our behalf. Each is engaged under a DPA with confidentiality and breach-notification clauses.

Vendor	Purpose	Location
Supabase	Managed Postgres database, auth, and object storage	AWS us-east-1 (EU available on Enterprise)
Vercel	Application hosting and edge network	Global
Cloudflare	DNS, edge proxy, and DDoS protection	Global
Anthropic	Claude API for Co-Pilot orchestration and document analysis. Submitted content is not used for model training.	United States
Voyage AI	voyage-3-large embeddings for precedent search. Submitted content is not used for model training.	United States
Stripe	Payments and subscription billing	United States
Resend	Transactional email	United States
Sentry	Error monitoring with PII scrubbing applied at the client	United States / EU
PostHog	Product analytics. Document contents are never sent.	United States / EU
WorkOS	SSO, SAML, and SCIM provisioning (Enterprise only)	United States
Upstash	Rate limiting and ephemeral cache	AWS us-east-1

Material changes communicated to Enterprise customers at least 30 days in advance.

Data residency

United States (default)

Primary region is AWS us-east-1. All Starter, Analyst, and Fund tenants reside here.

European Union (Enterprise)

EU-resident tenants are provisioned in AWS eu-central-1. Embeddings, documents, audit logs, and analysis output stay in-region.

AI governance

Every memo claim is sourced to a specific page by our CitationAgent. Every AI action is written to a hash-chained audit trail. Customer data is never used to train any model. Customers can disable AI features per-org from /settings.

Read the full AI governance page

Incident response

Documented IR plan with named on-call rotation and severity classification
Confirmed-breach notification within 24 hours to affected Enterprise customers per the DPA
Post-incident root cause analysis shared with affected customers within 10 business days
Annual tabletop exercises against the documented plan
Vulnerability disclosures triaged within 5 business days; coordinated disclosure preferred

Security program

Annual third-party penetration test (most recent: Q4 2025, no critical findings)
Continuous dependency vulnerability scanning on every push
Least-privilege production access with hardware-key MFA for all engineers
Background checks for all employees with production data access
Quarterly access reviews and offboarding within 4 hours of separation
Hash-chained, tamper-evident audit trail for every system action (7-year retention)

Privacy and legal

What we collect and why

Acceptable use, liability, SLA

DPA

Standard data processing agreement

Security overview

Encryption and tenant isolation

Frequently asked

Need a security questionnaire or pen-test letter?

Email security@dataroomsnap.com and we will respond within two business days.

Request security pack