Security

Security designed around your existing tenant.

DealOS inherits your identity, storage and compliance posture. Files don't move. Controls do.

Defense in depth

Nine pillars of our security model.

Customer-controlled storage

Source documents stay in your SharePoint, OneDrive, Box, Drive or Dropbox tenant. DealOS never takes custody.

Microsoft Entra ID / SSO

Authenticate against your IdP. SAML 2.0, OIDC and SCIM provisioning supported.

Role-based access

Granular roles for admins, deal leads, internal contributors, advisors and bidders.

External user access

Time-bound, MFA-enforced, IP-restricted access for parties outside your tenant.

Audit logging

Tamper-evident logs of every action — exportable to Splunk, Sentinel or your SIEM of choice.

Permission revocation

One-click global revocation across all sessions, devices and cached previews.

Data minimization

Only metadata required for access control and audit is processed. No content training. No third-party sharing.

Encryption in transit

TLS 1.3 across all connections. AES-256 at rest for audit and metadata stores.

Compliance-ready architecture

Designed against SOC 2, ISO 27001, GDPR, HIPAA and FINRA requirements.

Certifications & frameworks

Audited annually by independent third parties.

SOC 2 Type II

ISO 27001

GDPR / UK GDPR

HIPAA-ready

Request security pack
Security & compliance

Download the security overview

A two-page summary of DealOS's architecture, identity model, data protection, audit pipeline and compliance posture.

PDF · 2 pages

DealOS Security Overview

Architecture, identity & access, encryption, audit, watermarking, compliance and shared responsibility.

Download PDF

Need more?

Request our full security pack — SOC 2 Type II report, penetration test summary, DPA and subprocessor list — under NDA.

Request security pack
Identity

SSO & OIDC built for the enterprise

Authenticate every user against your existing identity provider. No shadow directories. No password sprawl.

SSO & OIDC

Protocols
SAML 2.0 · OpenID Connect (OIDC)
Identity providers
Microsoft Entra ID, Okta, Ping, Google Workspace, OneLogin, JumpCloud
Provisioning
SCIM 2.0 — automated user & group lifecycle
MFA
Inherited from IdP for internal users; enforced for external users
Session controls
Configurable lifetime, IP allowlists, device posture
External access
Time-bound magic-link or IdP federation; no password vaulting
Audit logging

Tamper-evident, SIEM-ready

  • Every view, search, download & Q&A action
  • Streaming export to Splunk, Sentinel, Datadog
  • WORM-mode retention for FINRA / SEC 17a-4
Watermarking

Dynamic, forensic-grade

  • Per-session user, IP, timestamp overlay
  • Applied to previews and downloads
  • Trace any leaked artifact to source session