Protecting Your Data
Our commitment to keeping your data safe and secure.
Our Company and Product
DiligenceVault is a response to the investment management industry’s complex, manually intensive and information heavy due diligence processes. Data security and data privacy compliance is integral part of our offering that empowers institutional and wealth investors and asset managers worldwide, enabling them to effortlessly navigate the due diligence complexities of ETFs, Mutual Funds, Hedge Funds, and Private Markets strategies.
DiligenceVault’s product and services are accessible through user-friendly web-based platform, robust application programming interfaces (APIs), and seamless extensions.
Security & Data Privacy Compliance
International Organization for Standardization (ISO)
System and Organisation Controls (SOC-2)
General Data Protection Regulation (GDPR)
Data Privacy Framework (DPF)
Texas Risk and Authorization Management Program (TX-RAMP)
Connect With Us
Connect with us to request our data security overview, data privacy compliance documents, control reports and certificates, and security DDQ.
Compliance and Certifications
Security Compliance
Data Privacy Framework (DPF)
The DPF certification reflects our commitment to protecting personal data and maintaining global privacy standards. It reinforces our dedication to transparency, security, and data integrity.
General Data Protection Regulation (GDPR)
We are dedicated to GDPR compliance and provide various data portability and management tools. Dive deeper by reaching out to us and gaining access to review our certificate and Data Processing Agreement.
ISO 27001
International Organization for Standardization (ISO) Our ISO 27001 certificate demonstrates our unwavering dedication to information security management. With a robust framework in place, we prioritize the protection of your organization.
AICPA SOC 2
Security Operations Center (SOC-2) Our SOC 2 certificate assures clients of our stringent security measures, validating our commitment to protecting sensitive data and maintaining the highest standards of information security.
Texas Risk and Authorization Management Program (TX-RAMP)
The TX-RAMP certification is proof of our relentless dedication to strengthening digital environments. This certification is evidence of our commitment to maintaining data integrity, and offering a secure environment.
Connect with us to request our data security overview, data privacy compliance documents, control reports, certificates, and security DDQ.
Privacy Standards
DiligenceVault Privacy Standards
We incorporate privacy by design and privacy by default standards to support our users and customers worldwide. Access our privacy policy below, or request our data processing addendum (DPA) and data privacy impact assessment (DPIA).
Infrastructure Security
Azure Cloud
Azure Cloud
DiligenceVault is powered by Microsoft Azure’s expansive multi-region cloud infrastructure, intelligently deployed across geographies to reduce latency and enhance service responsiveness. Azure’s architecture includes built-in redundancy through paired regions and availability zones, enabling seamless failover and high availability during unforeseen outages. This approach empowers DiligenceVault to deliver resilient, high-performing, and compliant cloud services tailored for your global operations. https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security
Network Security
Dedicated Security Team
A specialized team of cybersecurity professionals continuously monitors and defends the network infrastructure against evolving threats.
Continuous Vulnerability Monitoring
Regular automated scans are conducted to identify and assess potential vulnerabilities, ensuring timely remediation and compliance with industry standards.
Proactive Penetration Audits
Independent security experts perform penetration testing to simulate real-world attacks, identifying and addressing potential weaknesses proactively.
Security Incident Event Management
Advanced systems aggregate and analyze security data in real-time, enabling swift detection, investigation, and response to potential incidents.
Intrusion Detection and Prevention Systems
Deploying state-of-the-art systems to monitor network traffic for suspicious activity and known threats, ensuring immediate action is taken to mitigate risks.
DDoS Mitigation
Implementing robust strategies, including rate limiting, traffic filtering, and leveraging cloud-based DDoS protection services, to safeguard against large-scale attacks.
Security Incident Response
A well-defined incident response plan is in place, detailing procedures for containment, eradication, recovery, and communication, ensuring minimal impact during security events.
Data Protection
Encryption in Transit
DiligenceVault employs TLS versions 1.2 and 1.3, utilizing digital certificate identification to secure data during transmission. Additionally, the platform implements Layer 7 protection to enforce secure connections and protect against downgrade attacks.
Encryption at Rest
All data within the DiligenceVault platform is encrypted using the Advanced Encryption Standard (AES) 256-bit algorithm, ensuring robust protection of stored information.
Operational Excellence
Operational Excellence
DiligenceVault ensures high system availability through a robust Service Level Agreement (SLA), committing to 99.9% uptime. The platform’s architecture incorporates operational redundancy by leveraging multiple data centers and office locations, distributing and replicating data across systems to maintain reliability in the event of a failure.
Additionally, DiligenceVault’s infrastructure is designed with high availability in mind, incorporating redundant systems to facilitate rapid recovery and minimize downtime during unforeseen events.
Application Security
SDLC
Secure Code Training & Security Controls
We equip our development team with mandatory, role-specific secure coding training from day one—and refresh it annually—to ensure everyone is skilled in identifying vulnerabilities early. At the same time, we incorporate strong framework-level security controls—such as least-privilege access and threat modeling—to make security an embedded foundation.
Quality Assurance & Secure Testing
DiligenceVault maintains a rigorous, policy‑driven change control process encompassing all environment modifications from configuration and operating system updates to application changes. Releases advance from development into a mirrored production environment where our Quality Assurance team conducts exhaustive system, integration, regression, and acceptance testing. This stage is also used for continuous penetration testing and vulnerability scanning. Security is woven into every phase of development and QA. We deploy both static and dynamic security scans, enforce peer reviews on critical components such as authentication, input validation, and session management—and ensure that all code undergoes rigorous testing. Code impacting areas like session management, access control, cross-platform APIs, secure transmission, audit logging, file handling, XSS/CSRF defenses, and encryption undergoes formal review by the Information Security team or trained and authorized developers. All changes are tracked, reviewed, and require approval prior to production deployment, guided by OWASP Top 10 and other leading secure coding standards. From concept through prototyping, we prioritize identifying security implications in both architecture and implementation. Any new feature requiring special security considerations must pass a security review and receive formal authorization before moving into production. Collectively, these measures sustain the reliability, integrity, and resilience of our software release quality.
Separate Environments
We strictly segregate development, staging, and production environments. This isolation ensures that emerging features are safely tested in controlled environments, reducing risk and maintaining robustness before deployment to live systems.
Policy Enforcement & Access Control
We adhere to a strict access control policy, granting production access only to essential personnel—and remove any non-standard access routes prior to deployment. Our proactive security posture is supported by continuous monitoring and remediation through tools like static analysis and repository-based alerts to safeguard system integrity.
Vulnerabilty Management
Dynamic Vulnerability Scanning
DiligenceVault has implemented scheduled dynamic application security testing (DAST) across its platforms to proactively detect vulnerabilities in running applications. These scans are embedded into the SDLC to ensure issues are caught and resolved early, maintaining robust protection in every release.
Static Code Analysis
All codebases at DiligenceVault undergo regular static analysis (SAST) to identify insecure patterns before deployment. These automated scans are complemented by developer-led security reviews—making secure coding the standard rather than the exception. Static analysis is particularly effective at catching injection flaws, insecure API usage, and other common vulnerabilities early in the development process.
Third‑Party Penetration Testing
In addition to internal assessments, DiligenceVault engages independent security experts to conduct periodic penetration tests. These external evaluations simulate real-world attack scenarios, uncovering complex weaknesses that might not be caught through automated analysis alone.
Internal Vulnerability Assessments
DiligenceVault conducts ongoing internal vulnerability assessments—including both authenticated and unauthenticated scans—to maintain comprehensive visibility into emerging threats and security gaps. This continual vigilance supports proactive threat detection and remediation.
System Updates & Patching
Timely system updates and patching are central to DiligenceVault’s security strategy. A structured update process—identifying, testing in contained environments, and deploying critical patches (often automated)—minimizes exposure windows and ensures resilient, up-to-date systems.
Platform Security
Authentication Assurance
Authentication
DiligenceVault governs user access through strict RBAC policies, with permissions assigned at both individual and firm levels. The platform supports administrator managed username and password policies. It also offers flexible authentication options, including SSO (Single Sign-On) via SAML 2.0 and OIDC, user provisioning, and access validation to ensure that only recognized, authenticated sessions are accepted.
Password Policy
DiligenceVault enforces strong, configurable password policies that align with modern security standards. Rather than focusing on arbitrary complexity, the platform supports length-based best practices—favoring long, user-chosen passphrases and includes safeguards to block commonly used or compromised passwords (per NIST guidance).
Multi-Factor Authentication (MFA)
DiligenceVault offers multi-factor authentication for all access workflows. By combining traditional credentials with additional verification methods—such as authenticator apps, push notifications, or even phishing-resistant options like FIDO2 or security keys—the platform significantly reduces the risk of unauthorized access, particularly in SSO contexts.
Single Sign-On (SSO)
DiligenceVault supports SSO integrations via industry-standard protocols, enabling seamless yet secure access across connected tools. SSO streamlines login experiences while enhancing security through centralized identity control. By combining SSO with MFA and role-based access controls, DiligenceVault reinforces a zero-trust architectural approach.
Enhanced Protection Capabilities
Role-Based Access Control (RBAC)
DiligenceVault implements granular Role-Based Access Control to ensure that Internal and External users receive only the permissions necessary for their responsibilities.
Resource Access Whitelisting (Domain & IP)
DiligenceVault supports domain and IP based whitelisting to limit access or integrations to trusted domains and sources. This proactive security control—allowing only pre-approved sources helps reduce the risk of phishing, unauthorized data exchanges, and accidental access, aligning with recognized whitelist advantages like reduced attack surfaces and improved control.
Time-Based URLs
Secure, temporary links that grant granular access to protected documents.
Security Notifications
DiligenceVault maintains real-time security alerts to maintain healthy security posture, these monitoring trials alerts of any potential threats or anomalies—such as unauthorized access attempts or suspicious configuration changes. These notifications aid rapid incident response and sustained system integrity.
Email Signing (DKIM / SPF / DMARC)
DiligenceVault digitally signs all outgoing emails using standards such as DKIM and enforces strict email authentication policies like SPF and DMARC. This ensures email authenticity, safeguards communications from spoofing, and enhances trustworthiness in every message distributed to users.
Workforce Security & Compliance
CyberSecurity Awarness
Security Policies
DiligenceVault maintains a comprehensive, risk‑based suite of security policies that address a broad spectrum of topics. These policies are published, readily accessible, and integrated into ongoing training programs for all employees who handles DiligenceVault’s information assets.
Security Training
Mandatory for all individuals granted access to DiligenceVault Systems, security training is provided at onboarding and renewed annually. It covers organizational policies and standards, confidentiality and privacy safeguards, physical and system security practices, acceptable use protocols, social engineering awareness, and additional pertinent areas.
Employee Onboarding
Background Checks
DiligenceVault conducts comprehensive background checks in full compliance with applicable laws. These typically include verification of identity, employment history, educational credentials, and criminal standing.
Confidentiality Agreements
All employees and Sub-contractors at DiligenceVault are bound by confidentiality agreements (NDAs) that protect sensitive information, intellectual property, and trade secrets. These agreements clearly define what constitutes confidential data, assign obligations to handle it responsibly, and outline the legal consequences of any breach—including financial or disciplinary measures.
Frequently Asked Questions
Security
Who is the data controller?
DiligenceVault’s clients are the controller. DiligenceVault is the data processor.
What categories of personal data are processed by DiligenceVault?
A user’s email address, name, and IP address are personal data that are required by DiligenceVault for account creation and account security. These are the categories of PII which is processed by DiligenceVault. In addition, our clients may retain phone # and other personal data on the platform.
Privacy
Who owns the data entered on DiligenceVault?
The data and documents added to the platform are owned by DiligenceVault clients and the users who enter the data. DiligenceVault does not monetize or sell your data.
Does DiligenceVault use, share, or resell customer data in an anonymized and aggregated manner?
No, full stop. We do not sell or share client and user content (data and documents) even after it is anonymized. This is against our business model and one of the reasons why DiligenceVault has the largest adoption in the industry.
If I submit my data on DiligenceVault, is it public?
Your submission is only viewed by members of your firms subject to internal permissions, as well as the firms with which you have shared the data or document. No one else can see your information.
Can I delete my data from DiligenceVault?
For any data deletion requests, please contact ask@diligencevault.com and we will coordinate a data deletion in partnership with the DiligenceVault client who invited you to the platform.
Does DiligenceVault have clients in the European Union (EU)?
Yes, DiligenceVault has clients with headquarters in five EU countries, Switzerland, and the UK. DiligenceVault also has users in over 40 EU countries.
How does DiligenceVault ensure data privacy and regulatory compliance for EU-based clients?
DiligenceVault maintains policies and procedures to comply with GDPR and other data privacy regulations in various jurisdictions. DiligenceVault also regularly reviews our privacy policy to be consistent with our commitments to our clients and also shares our DPA and DPIA with all customers. Furthermore, DiligenceVault also undergoes an annual audit of our controls, including security and data privacy on an annual basis and has both ISO 27001 and SOC 2 Type II certification.
Does DiligenceVault disclose additional data as a result of the CLOUD Act?
The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data, and those protections continue to apply. DiligenceVault adheres to the same principles and customer commitments related to government demands for user data.
Does DiligenceVault share data with the US government?
Please note that DiligenceVault has never received legal demands for customer data, and has never shared this data with anyone other than the customer who owns the data.
Will DiligenceVault notify its customers when law enforcement or another governmental entity requests their data?
Yes. DiligenceVault will give prior notice to its customers of any third-party requests for their data, except where prohibited by law.
Technical Support
Is DiligenceVault available as an on-prem implementation?
DiligenceVault is only available as a SaaS platform which is a universal platform for all users globally. This single implementation creates a central diligence network across all users eliminating duplication and friction of responding to multiple portals for asset managers, and provides the highest quality of data to investor clients.
Is DiligenceVault available as a white-labeled solution?
No, DiligenceVault is not available as a white-labeled solution for the reasons mentioned above. This ensures that we minimize the friction of multiple portals and duplication of diligence efforts while maintaining efficient reuse of data and the overall industry adoption.
What are DiligenceVault’s Terms and Conditions?