Security designed around your existing tenant.
DealOS inherits your identity, storage and compliance posture. Files don't move. Controls do.
Nine pillars of our security model.
Customer-controlled storage
Source documents stay in your SharePoint, OneDrive, Box, Drive or Dropbox tenant. DealOS never takes custody.
Microsoft Entra ID / SSO
Authenticate against your IdP. SAML 2.0, OIDC and SCIM provisioning supported.
Role-based access
Granular roles for admins, deal leads, internal contributors, advisors and bidders.
External user access
Time-bound, MFA-enforced, IP-restricted access for parties outside your tenant.
Audit logging
Tamper-evident logs of every action — exportable to Splunk, Sentinel or your SIEM of choice.
Permission revocation
One-click global revocation across all sessions, devices and cached previews.
Data minimization
Only metadata required for access control and audit is processed. No content training. No third-party sharing.
Encryption in transit
TLS 1.3 across all connections. AES-256 at rest for audit and metadata stores.
Compliance-ready architecture
Designed against SOC 2, ISO 27001, GDPR, HIPAA and FINRA requirements.
Certifications & frameworks
Audited annually by independent third parties.
SOC 2 Type II
ISO 27001
GDPR / UK GDPR
HIPAA-ready
Download the security overview
A two-page summary of DealOS's architecture, identity model, data protection, audit pipeline and compliance posture.
PDF · 2 pages
DealOS Security Overview
Architecture, identity & access, encryption, audit, watermarking, compliance and shared responsibility.
Download PDFNeed more?
Request our full security pack — SOC 2 Type II report, penetration test summary, DPA and subprocessor list — under NDA.
Request security packSSO & OIDC built for the enterprise
Authenticate every user against your existing identity provider. No shadow directories. No password sprawl.
SSO & OIDC
- Protocols
- SAML 2.0 · OpenID Connect (OIDC)
- Identity providers
- Microsoft Entra ID, Okta, Ping, Google Workspace, OneLogin, JumpCloud
- Provisioning
- SCIM 2.0 — automated user & group lifecycle
- MFA
- Inherited from IdP for internal users; enforced for external users
- Session controls
- Configurable lifetime, IP allowlists, device posture
- External access
- Time-bound magic-link or IdP federation; no password vaulting
Tamper-evident, SIEM-ready
- Every view, search, download & Q&A action
- Streaming export to Splunk, Sentinel, Datadog
- WORM-mode retention for FINRA / SEC 17a-4
Dynamic, forensic-grade
- Per-session user, IP, timestamp overlay
- Applied to previews and downloads
- Trace any leaked artifact to source session