Self-Assessment · Type II Audit Planned Q4 2026

SOC 2 Compliance

Dealspace has completed a comprehensive SOC 2 Type II self-assessment. We are preparing for formal audit certification in Q4 2026.

Note: This is a self-assessment document. Formal SOC 2 Type II audit is planned for Q4 2026.

Overview

What is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how organizations manage customer data based on five Trust Services Criteria.

For M&A platforms handling confidential deal data, SOC 2 compliance demonstrates a commitment to security, availability, and data protection that investment banks and advisors require.

Self-Assessment Summary

Security (CC1-CC9)
95%
Availability (A1)
95%
Confidentiality (C1)
98%
Processing Integrity (PI1)
95%
Privacy (P1-P8)
95%

Assessment Date: February 28, 2026

Scope

What's Covered

Our SOC 2 assessment covers all aspects of the Dealspace platform and infrastructure.

Infrastructure

  • • Production server (Zürich, Switzerland)
  • • Go application binary
  • • SQLite encrypted database
  • • Caddy reverse proxy

Data Types

  • • M&A deal documents
  • • Financial data
  • • Transaction details
  • • Participant information

User Types

  • • Investment bank admins/members
  • • Seller organizations
  • • Buyer organizations
  • • Observers
Trust Services Criteria

The Five Pillars

SOC 2 evaluates organizations against five Trust Services Criteria. Dealspace implements controls for all five.

Security (CC1-CC9)

Protection against unauthorized access, both physical and logical.

FIPS 140-3 encryption (AES-256-GCM)
Per-project key derivation (HKDF-SHA256)
Role-based access control (RBAC)
MFA required for IB users

Availability (A1)

Systems are available for operation and use as committed.

99.9% uptime SLA
4-hour recovery time objective
Daily encrypted backups
Swiss data center (Zürich)

Confidentiality (C1)

Information designated as confidential is protected as committed.

All deal data encrypted at rest
Blind indexes for searchable encryption
TLS 1.3 for all connections
Dynamic document watermarking

Processing Integrity (PI1)

System processing is complete, valid, accurate, timely, and authorized.

Input validation on all data
Parameterized SQL queries
Optimistic locking (ETag)
ACID transaction compliance

Privacy (P1-P8)

Personal information is collected, used, retained, and disclosed in conformity with commitments.

GDPR/FADP/CCPA compliant
Data export on request
No third-party tracking
No data sales
Controls Summary

Key Security Controls

Encryption

FIPS 140-3 validated AES-256-GCM with per-project keys derived via HKDF-SHA256

Authentication

JWT tokens with 1-hour expiry, MFA required for IB users, session management

Authorization

Role hierarchy (IB → Seller → Buyer → Observer), invitation-only access

Infrastructure

Swiss data center, UFW firewall, SSH key-only, automatic security updates

Audit Logging

All access logged with actor, timestamp, IP. 7-year retention for compliance

Backup & Recovery

Daily encrypted backups, 4-hour RTO, 24-hour RPO, tested recovery procedures

Documentation

Policy Documents

Our SOC 2 program is supported by comprehensive policy documentation.

Self-Assessment Report

Complete SOC 2 Type II self-assessment with control mappings

Security Policy

Security requirements for systems, data, and operations

Incident Response Plan

Procedures for detecting and responding to security incidents

Disaster Recovery Plan

Recovery procedures following disasters affecting systems

Data Retention Policy

Data retention periods and deletion procedures

Risk Assessment

Identified risks and mitigation controls
Status

Audit Timeline

February 2026 — Self-Assessment Complete

Comprehensive self-assessment against all five Trust Services Criteria completed. Policy documentation created.

Q2 2026 — Gap Remediation

Address recommended action items including backup restore testing and external penetration test.

Q4 2026 — Formal SOC 2 Type II Audit

Engage third-party auditor for formal SOC 2 Type II certification.

Questions About Compliance?

Contact our security team for detailed documentation or to discuss your compliance requirements.

Contact Security Team View Security Page