Security & Data Privacy


Our commitment to keeping
your data safe and secure

Our Company and Product

DiligenceVault is a response to the investment management industry’s complex, manually intensive and information heavy due diligence processes. Data security and data privacy compliance is integral part of our offering that empowers institutional and wealth investors and asset managers worldwide, enabling them to effortlessly navigate the due diligence complexities of ETFs, Mutual Funds, Hedge Funds, and Private Markets strategies.

DiligenceVault’s product and services are accessible through user-friendly web-based platform, robust application programming interfaces (APIs), and seamless extensions.

Security & Data Privacy Compliance

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

We are dedicated to GDPR compliance and provide various data portability and management tools. Dive deeper by reaching out to us and gaining access to review our certificate and Data Processing Agreement.

ISO 27001

International Organization for Standardization (ISO)

Our ISO 27001 certificate demonstrates our unwavering dedication to information security management. With a robust framework in place, we prioritize the protection of your organization.


Security Operations Center (SOC-2)

Our SOC 2 certificate assures clients of our stringent security measures, validating our commitment to protecting sensitive data and maintaining the highest standards of information security.

Texas Risk and Authorization Management Program (TX-RAMP)

The TX-RAMP certification is proof of our relentless dedication to strengthening digital environments. This certification is evidence of our commitment to maintaining data integrity, and offering a secure environment.

Connect with us to request our data security overview, data privacy compliance documents, control reports and certificates, and security DDQ.

Connect with Us

Security & Data Privacy Architecture

A secure and purpose-built product architecture leverages industry best practices and is designed with controls at each layer of data access


DiligenceVault’s application controls include:

  • Independent penetration testing

  • ISO 27001 and SOC 2 Type II compliance

  • Secure coding standards

  • System updates and patches


DiligenceVault’s advanced access controls include:

  • Advanced password criteria

  • Domain whitelisting

  • IP Address whitelisting

  • Multi-factor authentication

  • Security notifications

  • Single Sign-On


DiligenceVault’s data protection controls include:

  • Business continuity and disaster recovery framework

  • Confidentiality of your data

  • Encryption in transit and at rest

  • SOC 2 Type II certified data centers and sub-processor

  • Well-documented incident response plan

DiligenceVault Privacy Standards

We incorporate privacy by design and privacy by default standards to support our users and customers worldwide. Access our privacy policy below, or request our data processing addendum (DPA) and data privacy impact assessment (DPIA).

Read More About Our Security and Privacy Policies

Frequently Asked Questions

DiligenceVault’s clients are the controller. DiligenceVault is the data processor.

A user’s email address, name, and IP address are personal data that are required by DiligenceVault for account creation and account security. These are the categories of PII which is processed by DiligenceVault. In addition, our clients may retain phone # and other personal data on the platform.

The data and documents added to the platform are owned by DiligenceVault clients and the users who enter the data. DiligenceVault does not monetize or sell your data.

No, full stop. We do not sell or share client and user content (data and documents) even after it is anonymized. This is against our business model and one of the reasons why DiligenceVault has the largest adoption in the industry.

Your submission is only viewed by members of your firms subject to internal permissions, as well as the firms with which you have shared the data or document. No one else can see your information.

For any data deletion requests, please contact and we will coordinate a data deletion in partnership with the DiligenceVault client who invited you to the platform.

Yes, DiligenceVault has clients with headquarters in five EU countries, Switzerland, and the UK. DiligenceVault also has users in over 40 EU countries.

DiligenceVault maintains policies and procedures to comply with GDPR and other data privacy regulations in various jurisdictions. DiligenceVault also regularly reviews our privacy policy to be consistent with our commitments to our clients and also shares our DPA and DPIA with all customers. Furthermore, DiligenceVault also undergoes an annual audit of our controls, including security and data privacy on an annual basis and has both ISO 27001 and SOC 2 Type II certification.

The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data,  and those protections continue to apply. DiligenceVault adheres to the same principles and customer commitments related to government demands for user data.

Please note that DiligenceVault has never received legal demands for customer data, and has never shared this data with anyone other than the customer who owns the data.

Yes. DiligenceVault will give prior notice to its customers of any third-party requests for their data, except where prohibited by law.

DiligenceVault is only available as a SaaS platform which is a universal platform for all users globally. This single implementation creates a central diligence network across all users eliminating duplication and friction of responding to multiple portals for asset managers, and provides the highest quality of data to investor clients.

No, DiligenceVault is not available as a white-labeled solution for the reasons mentioned above. This ensures that we minimize the friction of multiple portals and duplication of diligence efforts while maintaining efficient reuse of data and the overall industry adoption.

Want to see how our technology could work for you?