Security & Trust Center
DEALITHIC
SECURITY
Built for institutional deal teams. This document outlines the technical and operational controls governing how DEALITHIC stores, processes, and protects confidential deal data — from infrastructure to authentication to document handling.
01
Infrastructure & Hosting
Enterprise Grade
Vercel (Frontend)
Next.js application served via Vercel's global edge network across 100+ PoPs.
Automatic HTTPS with HSTS enforcement. TLS 1.3 minimum, TLS 1.0/1.1 disabled.
DDoS mitigation and rate-limiting at the CDN layer. Zero server infrastructure to patch or maintain.
All API routes execute as isolated serverless functions with no persistent process state.
Railway (Backend API)
FastAPI inference engine running in isolated containers on Railway's managed cloud platform.
HTTPS-only ingress with automatic TLS certificate rotation.
Environment secrets injected at runtime via Railway's encrypted variable store —
never baked into container images or source code.
Containerized isolation ensures no shared memory between tenant requests.
Supabase (Database)
PostgreSQL database hosted on Supabase's managed infrastructure.
AES-256 encryption at rest. TLS-encrypted connections in transit.
Supabase maintains SOC 2 Type II certification. Automated daily backups with point-in-time
recovery. Row-level access controlled via service-role keys scoped to server-side API
routes only — no direct database access from client-side code.
02
Data Encryption
AES-256 · TLS 1.3
Encryption in Transit
All data transmitted between clients, the Vercel edge, Railway API, and Supabase is
encrypted using TLS 1.3. Unencrypted HTTP connections are automatically upgraded or rejected.
TLS 1.3 · HSTS
Encryption at Rest
All database records — including deal data, extracted financials, and user accounts —
are stored with AES-256 block encryption at the storage layer via Supabase's managed PostgreSQL.
AES-256
Credential Storage
Passwords are never stored in plaintext. All password-based credentials are
hashed using bcrypt (cost factor 10) before persistence —
irreversible by design.
bcrypt · cost=10
Document Handling
CIMs and financial models uploaded for analysis are processed server-side.
Documents are not retained beyond the active session unless explicitly saved
to a named deal in the user's workspace.
Ephemeral processing
03
Authentication & Access Control
OAuth 2.0 · bcrypt
DEALITHIC supports two authentication methods, both handled server-side with no secrets exposed to the client. Authentication state is scoped to the authenticated session and access to deal data is isolated per user account.
| Control | Implementation | Status |
|---|---|---|
| Google OAuth 2.0 | PKCE authorization code flow via Google Identity Platform. Tokens exchanged server-side only. User identity verified against Google's token endpoint before account creation or login. | ✓ PASS |
| Email / Password Auth | Passwords hashed with bcrypt (cost factor 10) on registration. On login, bcrypt.compare() is used — raw passwords are never logged, stored, or transmitted beyond the initial POST body. | ✓ PASS |
| Password Reset Flow | Cryptographically secure 256-bit random token (Node.js crypto.randomBytes). Token expires after 1 hour. All prior unused tokens invalidated on each new reset request. Reset links sent via authenticated transactional email. | ✓ PASS |
| Anti-Enumeration | The password reset endpoint returns HTTP 200 regardless of whether the email exists in the system, preventing attackers from enumerating registered accounts. | ✓ PASS |
| Minimum Password Policy | Passwords must be at least 8 characters. Enforced server-side on all registration routes — client-side validation is supplementary only. | ✓ PASS |
| Service Key Isolation | Supabase service-role keys are only accessible within server-side API routes (Next.js Route Handlers, Railway backend). They are injected via environment variables and are never exposed to or usable from client-side JavaScript. | ✓ PASS |
| Input Normalization | All email addresses are trimmed and lowercased before persistence or comparison, preventing case-variation account duplication or bypass attempts. | ✓ PASS |
04
Audit Logging & Event Tracking
Immutable Log
Every authentication event is recorded to an immutable login_events ledger in the DEALITHIC database. Records capture the authenticated email, authentication method (email/password or Google OAuth), and UTC timestamp on every sign-in — regardless of session outcome.
User account records also maintain a last_login timestamp updated on each successful authentication. This provides a per-account audit trail suitable for access reviews.
- Login event log — email, auth method, and UTC timestamp on every sign-in
- Per-account last_login — always current, updated server-side on authentication
- Deal audit trail — deal creation, analysis runs, and sharing events tied to authenticated email
- Signup event log — new account creation events captured with method and timestamp
- Webhook audit — CRM sync events logged with email and event type on account creation
05
Data Isolation & Confidentiality
Per-Account Scoped
Deal Isolation
Each deal is persisted with the creating user's email as the owner key.
All deal retrieval queries are scoped to the authenticated user's email —
cross-account data access is structurally prevented at the query layer.
Owner-scoped queries
Deal Room Sharing
Deal rooms and shared memos require explicit share actions by the deal owner.
Share links are keyed to the deal ID and recipient email. Unshared deals are
never accessible to other accounts.
Explicit share model
NDA Handling
NDAs uploaded or generated within the platform are stored per deal and
scoped to the deal owner. NDA templates and placed signature fields are
not shared between unrelated accounts.
Per-deal scoped
AI Processing Isolation
Document analysis runs execute as stateless serverless requests. Each analysis
is an isolated invocation — no deal context or document content persists in
memory between requests or across user sessions.
Stateless inference
06
Secrets Management & Operational Security
Env-Isolated
- Zero secrets in source code — all API keys, database credentials, and signing secrets are injected via environment variables through Vercel and Railway's encrypted variable stores
- Principle of least privilege — each service is provisioned with only the credentials required for its function; the frontend holds no direct database credentials
- Server-side-only secret access — Supabase service keys, OpenAI keys, Resend keys, and Stripe keys are accessible only within server-side execution contexts, never bundled into client JavaScript
- Webhook authentication — internal service-to-service webhooks (e.g. CRM sync) require a shared secret transmitted via a dedicated header, validated before processing
- Dependency management — Node.js and Python dependencies are pinned and managed via package.json and requirements files; supply chain integrity maintained through standard package registries
- No persistent infrastructure — the application runs entirely on managed cloud services; there are no self-managed servers, VMs, or bare-metal hosts requiring manual patching
07
Third-Party Vendor Security Posture
SOC 2 Stack
DEALITHIC's infrastructure stack is composed exclusively of vendors that maintain SOC 2 Type II or equivalent enterprise certifications. No deal data transits vendors outside this tier.
| Vendor | Role | Certification / Posture |
|---|---|---|
| Vercel | Frontend hosting, serverless API execution, CDN | SOC 2 Type II · ISO 27001 · GDPR-compliant DPA available |
| Supabase | PostgreSQL database, row-level access | SOC 2 Type II · HIPAA-eligible add-on · ISO 27001 · GDPR-compliant |
| Railway | Backend API / inference engine hosting | SOC 2 Type II in process · encrypted secret store · isolated containers |
| OpenAI / Anthropic | AI analysis engine (deal memo generation) | SOC 2 Type II · enterprise data processing agreements available · zero training use of API data |
| Resend | Transactional email (auth, notifications) | SOC 2 Type II · GDPR compliant · TLS email delivery |
| Stripe | Payment processing | PCI DSS Level 1 · SOC 2 Type II · no card data touches DEALITHIC servers |
| Google Identity | OAuth 2.0 authentication provider | ISO 27001 · SOC 2/3 · FedRAMP authorized |
08
Compliance & Regulatory Posture
Active Review
GDPR
Personal data is limited to email address. Data processing agreements
are available with Vercel and Supabase. Users may request account and
data deletion via security@dealithic.co.
DPA available
SOC 2 Alignment
DEALITHIC's control architecture is designed to align with the SOC 2
Trust Services Criteria (Security, Availability, Confidentiality).
Formal SOC 2 Type II audit engagement is on the product roadmap.
Roadmap Q3 2026
NDA & Confidentiality
Enterprise customers may execute a mutual NDA covering deal data
processed through the platform. Contact
security@dealithic.co
to initiate.
Available on request
Data Retention
Deal memos and analysis outputs are retained per the user's workspace
until explicitly deleted. Account deletion removes all associated deal
records. No data is sold or shared with third parties for any purpose.
On-demand deletion
09
Security Controls Verification
Internal Review · May 2026
The following controls were verified through internal security review in May 2026. An independent third-party penetration test is scheduled as part of the SOC 2 engagement.
| Test | Method | Result |
|---|---|---|
| TLS enforcement | Verified HTTPS redirect on all routes; confirmed TLS 1.3 via SSL Labs scan | ✓ PASS |
| Password hashing | Confirmed bcrypt hash output in database; verified no plaintext fallback path exists in registration or login routes | ✓ PASS |
| Password reset token entropy | Verified 256-bit entropy via crypto.randomBytes(32); confirmed 1-hour expiry and single-use invalidation logic | ✓ PASS |
| Email enumeration resistance | Confirmed password reset returns HTTP 200 for both registered and unregistered emails; response body and timing indistinguishable | ✓ PASS |
| Cross-account data access | Verified all deal retrieval queries are scoped to the authenticated user's email; no route returns deal data without email scope | ✓ PASS |
| Client-side secret exposure | Audited Next.js bundle; confirmed service-role keys, AI API keys, and webhook secrets are absent from all client-side JavaScript bundles | ✓ PASS |
| OAuth code replay | Confirmed authorization code is single-use per Google OAuth spec; replay of a consumed code returns invalid_grant from Google's token endpoint | ✓ PASS |
| SQL injection | All database queries use Supabase's PostgREST API with encoded URL parameters; no raw SQL construction in any route handler | ✓ PASS |
| Webhook authentication | Verified x-dealithic-secret header required and validated on all internal webhook endpoints; requests without valid secret rejected | ✓ PASS |
10
Responsible Disclosure
Bug Bounty TBD
DEALITHIC takes security disclosures seriously. If you identify a potential vulnerability, please report it to security@dealithic.co. We will acknowledge receipt within 1 business day and aim to remediate confirmed findings within 14 days.
We ask that you do not exploit vulnerabilities or access data beyond what is necessary to demonstrate the issue. We will not pursue legal action against researchers acting in good faith under these guidelines. A formal bug bounty program is under consideration.