Your due diligence room contains the most sensitive material in your company. This page explains exactly what we process, where it goes, who touches it, and the line your data never crosses.
Plain-language promises that the rest of this page backs up in detail.
On our standard path, every AI request runs through Zero Data Retention endpoints — your documents are never retained by any model provider and never used to train any model. On our isolated-infrastructure path, no external AI provider is involved at all: the model runs entirely within infrastructure we control. Neither path allows your data to be used for training, in any form.
Standard analysis runs through Zero Data Retention frontier models. For clients who require it, the entire analysis can instead run on isolated infrastructure your data never leaves.
Access to your data room is least-privilege, scoped to your engagement, and logged — reachable only by the people and processes working on your assessment. We are adding database-level isolation as a further safeguard.
You can request a full export or permanent deletion of your data at any time, and we honor it across our systems and our subprocessors.
During a six-to-eight-week Progressive Due Diligence engagement, we read the contents of your due diligence room each week to produce an updated investor-readiness report and action plan.
That can include financial statements and projections, cap tables, corporate and legal documents, customer and revenue data, IP and product material, and any personal data contained within those files. We treat all of it as confidential. We process billing and account information separately from your data-room contents, and we keep those data flows distinct.
There is one line that matters: the boundary of infrastructure we control. The diagram shows the two analysis paths and where each one sits relative to that line.
ZDR means a provider keeps no copy of your data after processing it. It does not mean the data was never transmitted to them. We draw that distinction openly: Path A protects you from retention and training; Path B is for when your requirement is that data must not leave controlled infrastructure at all.
These are the third parties that may process your data on our behalf. Each operates under a data processing agreement. We update this register before adding any new subprocessor.
| Subprocessor | Function | Data it may process | Region | Policy ² | DPA |
|---|---|---|---|---|---|
| OpenRouter | Frontier model routing (Path A) — ZDR endpoints only | Data-room content & derived text, in transit for analysis only | US | ZDR no-log | Yes |
| Google Workspace | Document storage — shared Drive folder we create and manage | Data-room files you place in the shared folder | US | DPA no-train | Yes |
| DigitalOcean | Application hosting, compute, encrypted storage and processing | All client data at rest & in process | US | DPA AES-256 | Yes |
| CoreWeavePath B only | GPU compute — hosts the dedicated node on which the local AI model runs during the analysis window | Data-room content processed in GPU memory during inference — CoreWeave has no visibility into this data | US | DPA AES-256 | Yes |
A Path A request makes two hops — from us to OpenRouter, then from OpenRouter to the chosen model provider (Anthropic, OpenAI, or Google). With ZDR-only routing enforced, neither hop retains your prompt content: OpenRouter logs only operational metadata, and requests reach solely the provider endpoints that store nothing and never train on your data.
OpenRouter is our current routing layer because it provides a single integration point to ZDR-capable endpoints across multiple providers. We could equally connect directly to Anthropic, OpenAI, or Google under their respective enterprise ZDR agreements — or use the Ollama API, whose endpoints are zero-retention by default. Note that Ollama operates in two distinct modes: as a hosted API endpoint (Path A, ZDR) and as a fully local model server running on a private GPU (Path B, no external connection at all). The privacy guarantee across all Path A options is identical. If your agreement requires a direct relationship with a specific provider, we can accommodate that.
When you choose Path B, analysis runs on a model hosted on dedicated hardware inside the trust boundary. No third party processes your data, so there is no subprocessor to list for that step — that is the entire point of the option.
Your due diligence material reaches us through a shared Google Drive folder.
We keep your data only as long as your engagement needs it.
Data-room content and generated reports are retained for the duration of your Progressive Due Diligence engagement and for 30 days afterward, so you can retrieve your final reports. After that window we delete it, or sooner on your request. On Path A, neither our routing layer nor the model providers retain any prompt content — only operational metadata is recorded. When you request deletion, we remove your data from our systems and instruct our subprocessors to do the same, and we confirm completion to you.
Security was a design constraint from day one — built into the architecture, not retrofitted onto it.
Data is encrypted in transit (TLS 1.3) and at rest (AES-256), each client's data is logically isolated, access is least-privilege and logged, and we maintain an incident-response process with breach notification consistent with applicable law. A formal SOC 2 examination is on our roadmap, and the platform is being prepared for it; we will publish the report here once it is complete.
Some engagement contracts prohibit consultants from processing confidential information through a third-party AI system unless specific guarantees — around training, encryption, deletion, and ownership — are in place. If your agreement contains such a clause, our Path B dedicated-infrastructure option satisfies each requirement directly.
| Requirement in your agreement | How our setup satisfies it |
|---|---|
| No training or retraining on your dataThe AI system may not use uploaded data to train, retrain, or improve any model. | Analysis runs on an open-source model with frozen weights, served via Ollama, hosted on infrastructure we operate inside your account. The model never sends data back to its developer. No training signal exists — inference only, on a static model. |
| Industry-standard encryption, at rest and in transit | At rest: AES-256 (DigitalOcean Spaces + Postgres, inside your account). In transit: WireGuard end-to-end mesh between all components (Headscale-managed, no plaintext path exists) + TLS 1.3 on all service endpoints. |
| Secure deletion upon request | Because the infrastructure runs inside your cloud account, you hold deletion authority directly. We additionally commit to deletion across all operational copies within 7 days of written request, confirmed in writing. |
| Data remains your exclusive property, inaccessible to unauthorized parties | We acquire no ownership interest in your data at any step. Access is scoped to the operational personnel and automated processes working on your engagement, logged, and revocable. We operate your infrastructure under a data processing agreement (below); we do not share it. |
When analysis runs on our dedicated-infrastructure path, no commercial AI service is in the chain at any step — not for inference, not for routing, not for any processing. The AI model runs entirely on infrastructure inside your account, operated by us on your behalf. The clause's examples (ChatGPT, Claude, Perplexity, Gemini, Copilot) are all hosted commercial services; we use none of them for this path. Our Data Processing Agreement with you is the formal instrument covering these commitments.