SOC 2 Compliance
Dealspace has completed a comprehensive SOC 2 Type II self-assessment. We are preparing for formal audit certification in Q4 2026.
Note: This is a self-assessment document. Formal SOC 2 Type II audit is planned for Q4 2026.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how organizations manage customer data based on five Trust Services Criteria.
For M&A platforms handling confidential deal data, SOC 2 compliance demonstrates a commitment to security, availability, and data protection that investment banks and advisors require.
Self-Assessment Summary
Assessment Date: February 28, 2026
What's Covered
Our SOC 2 assessment covers all aspects of the Dealspace platform and infrastructure.
Infrastructure
- • Production server (Zürich, Switzerland)
- • Go application binary
- • SQLite encrypted database
- • Caddy reverse proxy
Data Types
- • M&A deal documents
- • Financial data
- • Transaction details
- • Participant information
User Types
- • Investment bank admins/members
- • Seller organizations
- • Buyer organizations
- • Observers
The Five Pillars
SOC 2 evaluates organizations against five Trust Services Criteria. Dealspace implements controls for all five.
Security (CC1-CC9)
Protection against unauthorized access, both physical and logical.
Availability (A1)
Systems are available for operation and use as committed.
Confidentiality (C1)
Information designated as confidential is protected as committed.
Processing Integrity (PI1)
System processing is complete, valid, accurate, timely, and authorized.
Privacy (P1-P8)
Personal information is collected, used, retained, and disclosed in conformity with commitments.
Key Security Controls
Encryption
FIPS 140-3 validated AES-256-GCM with per-project keys derived via HKDF-SHA256
Authentication
JWT tokens with 1-hour expiry, MFA required for IB users, session management
Authorization
Role hierarchy (IB → Seller → Buyer → Observer), invitation-only access
Infrastructure
Swiss data center, UFW firewall, SSH key-only, automatic security updates
Audit Logging
All access logged with actor, timestamp, IP. 7-year retention for compliance
Backup & Recovery
Daily encrypted backups, 4-hour RTO, 24-hour RPO, tested recovery procedures
Policy Documents
Our SOC 2 program is supported by comprehensive policy documentation.
Self-Assessment Report
Complete SOC 2 Type II self-assessment with control mappings
Security Policy
Security requirements for systems, data, and operations
Incident Response Plan
Procedures for detecting and responding to security incidents
Disaster Recovery Plan
Recovery procedures following disasters affecting systems
Data Retention Policy
Data retention periods and deletion procedures
Risk Assessment
Identified risks and mitigation controls
Audit Timeline
February 2026 — Self-Assessment Complete
Comprehensive self-assessment against all five Trust Services Criteria completed. Policy documentation created.
Q2 2026 — Gap Remediation
Address recommended action items including backup restore testing and external penetration test.
Q4 2026 — Formal SOC 2 Type II Audit
Engage third-party auditor for formal SOC 2 Type II certification.
Questions About Compliance?
Contact our security team for detailed documentation or to discuss your compliance requirements.