Security & Compliance
Built for the Security Standards Banks Require
Every document encrypted. Every action logged. Every participant verified. Security isn’t a feature on Debtigo — it’s the foundation everything else is built on.
Every Layer of the Stack is Secured
From the database row to the encrypted file in storage — security is applied at every level, not bolted on at the end.
AES-256-GCM Encryption at Rest
Every file uploaded to Debtigo is encrypted at rest using AES-256-GCM before it reaches storage. No plaintext data is ever written to disk. Encryption keys are managed separately from the data they protect.
TLS Encryption in Transit
All data in transit is encrypted using TLS 1.2+. API endpoints enforce HTTPS. Certificate pinning is applied on sensitive communication paths.
Role-Based Access Control
Access is scoped to the deal level. Only explicitly added participants can view deal data. Roles determine what each participant can see, download, or modify. Admins cannot bypass deal-level restrictions.
Need-to-Know Architecture
Row-level security is enforced at the database layer — not just the application layer. A lender can only see borrower companies, documents, and profiles for deals they are explicitly added to.
Tamper-Evident Audit Trail
Every action — file view, download, edit, approval, sign-off — is logged with a timestamp and the authenticated user identity. Logs are append-only and exportable for regulatory review.
SSO / SAML 2.0 Support
Integrate Debtigo with your organization's identity provider. SSO ensures user access is governed by your existing IAM policies and is automatically revoked when a user leaves.
SOC 2 Type II Aligned
Security controls are aligned to the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). Compliance documentation is available under NDA for enterprise customers.
Data Residency Options
Enterprise customers can specify the geographic region where their data is stored and processed. Available for organizations with data sovereignty requirements.
Infrastructure Security
Debtigo runs on isolated cloud infrastructure with network segmentation, private endpoints, and no direct public database access. All services run behind a hardened reverse proxy.
Encryption Key Management
Encryption keys are stored and managed separately from the encrypted data, with organization-level key management and an approval workflow for key rotation.
Responsible Disclosure
Found a security vulnerability?
We take security seriously and investigate every report. Contact our security team and we’ll respond within 2 business days.
Security Questions
Common questions from security and compliance teams.
Who can see my deal data?
Only users explicitly added as participants to a deal can access that deal's data. This is enforced at the database row level — not just the application layer. Even platform administrators cannot view deal data they are not participants in.
How are files encrypted?
All files are encrypted client-side before upload using AES-256-GCM. The encryption key is derived per-upload using a master seed and HMAC-SHA256. Encrypted ciphertext is what gets stored — we never have your plaintext files in storage.
Can we use our own identity provider?
Yes. Debtigo supports SAML 2.0 and SSO, allowing you to integrate with Okta, Azure AD, Google Workspace, and other identity providers. User access and deprovisioning is governed by your existing policies.
What happens to our data if we leave?
You can export all your deal data, documents, and audit logs at any time. On account termination, data is securely wiped from our infrastructure within 30 days in accordance with our data retention policy.
Do you have a security disclosure policy?
Yes. We have a responsible disclosure program. If you discover a security vulnerability, please contact us at security@debtigo.com. We investigate all reports and respond within 2 business days.
Security questions before committing?
Our team is happy to walk through our security architecture, provide compliance documentation, and answer any questions your security or legal team has.