Skip to main content
    DoneDealDoneDeal
    SECURITY & PRIVACY

    Your Deal Data Is Protected at Every Layer

    DoneDeal is built on SOC 2 Type II–certified infrastructure with enterprise-grade encryption, role-based access controls, and strict third-party AI data policies. Your M&A documents stay yours.

    AI DATA POLICY

    Your Data Never Trains Third-Party AI

    DoneDeal uses the Anthropic commercial API, which operates under Commercial Terms of Service that categorically prohibit the use of customer data for model training. This is not an opt-out setting — it is a contractual exclusion that applies to all commercial API customers regardless of configuration.

    DoneDeal may use aggregate, de-identified usage patterns to improve our own platform and workflows. This is standard practice and does not involve sharing your deal data with any third party or exposing identifiable information.

    All AI processing runs through authenticated server-side functions. Your browser never communicates directly with any AI provider. API credentials are stored exclusively in server environment variables and are never exposed to client-side code.

    Your data is never used to train third-party AI models
    All AI calls are routed through secure server-side functions
    No API keys or credentials are ever exposed to the browser
    AI inputs and outputs are automatically deleted by the provider within 7 days under standard commercial terms
    INFRASTRUCTURE

    Built on Certified Infrastructure

    Every layer of DoneDeal's stack runs on independently audited, SOC 2 Type II–certified platforms. Data is encrypted with AES-256 at rest and TLS 1.3 in transit. Row-Level Security ensures users can only access deals and documents they are authorized to see.

    Supabase

    Database, authentication, edge functions

    SOC 2 Type II

    Vercel

    Hosting and CDN

    SOC 2 Type IIISO 27001

    Anthropic

    AI processing

    SOC 2 Type IIISO 27001ISO/IEC 42001
    PLATFORM

    Security by Design

    Role-Based Access Control

    Granular permissions across all deal participants and documents

    Virtual Data Room

    Document-level permissions with controlled access for every party

    JWT Authentication

    Authenticated requests verified on every server function call

    Isolated Build Pipelines

    Separate frontend and backend deploys — no server code leaks into client bundles

    PII-Scrubbed Monitoring

    Error monitoring with automatic personally identifiable information removal

    Automated Security Audits

    No secrets in source code — verified by automated scanning

    ROADMAP

    What's Next

    SOC 2 Type II certification (DoneDeal org-level)In Progress
    Zero Data Retention agreement with AI providerIn Progress
    Additional compliance certifications as we scale into regulated verticalsPlanned

    Questions About Security?

    We're happy to walk through our security architecture in detail.

    Reach out to us directly at:

    security@itsadonedeal.ai