DueDrill handles sensitive deal data for venture capital investors. We built our security architecture with the same rigor you apply to your diligence process — because trust is earned, not assumed.
AES-256-GCM encryption for all stored data, including company records, scores, notes, and uploaded documents.
TLS 1.3 enforced on every connection. All API calls, webhooks, and file transfers are encrypted end-to-end.
Each user's data is cryptographically isolated. There is no shared data space between accounts.
Application hosted on Vercel's edge network. SOC 2 Type 2 certified. Automatic DDoS protection and global CDN.
Database and authentication powered by Supabase. SOC 2 Type 2 certified. Built on top of AWS with managed backups.
Underlying cloud infrastructure runs on Amazon Web Services, with data stored in US-based regions with enterprise-grade physical security.
Supabase RLS policies enforce that every database query is scoped to the authenticated user. No user can access another user's data at the database level.
Secure session tokens with automatic expiration. Support for Google OAuth via Supabase Auth with PKCE flow.
Your AI provider API keys (OpenAI, Anthropic, etc.) are encrypted at rest and never logged or exposed in client-side code.
10 requests per minute on AI research routes to prevent abuse and runaway API costs. Generous limits for standard CRUD operations.
All user inputs are validated and sanitized server-side before processing. Parameterized queries prevent SQL injection.
Cross-site request forgery tokens on all state-changing operations. SameSite cookie attributes enforced.
Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers on all responses.
Full compliance with the EU General Data Protection Regulation. Lawful basis for processing, data minimization, and right to erasure.
Compliance with the California Consumer Privacy Act. Right to know, right to delete, and right to opt-out of data sale.
We never sell, rent, or share your data with third parties for marketing or advertising purposes. Period.
All data you enter into DueDrill belongs to you. Export everything as JSON or PDF at any time.
Delete individual companies, specific data points, or your entire account and all associated data with one action.
Every AI-generated data point includes a confidence score so you know exactly how certain the model is about each finding.
AI fills in research data, but every score and investment decision requires human review and explicit confirmation.
DueDrill is a decision-support tool, not a decision-making tool. The platform never makes buy/pass recommendations autonomously.
If you have questions about our security practices, need a security assessment for your compliance team, or want to report a vulnerability, reach out directly.
security@duedrill.com