Security & privacy
We handle some of the most sensitive data in your business — deal values, rep performance, CRM access tokens. Here's exactly how we protect it.
How we protect your data
OAuth tokens for every connected integration (Salesforce, HubSpot, Gong, Zoom, Gmail, Outlook) are encrypted with AES-256-GCM before they touch the database. Encryption keys live only in our deployment environment, never in source.
We never ask for or store your CRM password. All integrations connect via OAuth — you authorize access through the provider's own login flow, and you can revoke it at any time. State parameters are HMAC-signed to prevent CSRF and replay.
Your deal data is never used to train AI models — ours or anyone else's. Per-org PII redaction is available for Enterprise plans, scrubbing emails / phone numbers / SSNs / cards out of the LLM payload and restoring them in the response.
Every privileged action — sign-in, role change, integration connect/disconnect, plan changes, API key issuance, webhook updates, data exports — writes a timestamped audit row. Default retention is 2 years (configurable 1–10 years per org).
Four roles: Admin, RevOps, Manager, Rep. Reps see only their own deals; Managers see their teams; Admins control the workspace. Admin actions (rename org, role changes, delete) require TOTP multi-factor authentication.
Cookie-based sessions verified locally against the auth provider's published JWKS — no shared secrets, no per-request round-trip. All traffic is HTTPS with HSTS preload; preview deploys are SSO-gated.
Postgres Row-Level Security with FORCE on every public table. Cross-tenant access is impossible by construction — even a SECURITY DEFINER function or compromised owner role respects organization boundaries.
Right-to-erasure (delete account, delete organization) and right-to-portability (downloadable JSON export of your org's deals, audit log, and settings) are both available in-product. DPA available on request.
If you discover a security vulnerability in DealRadar, please report it to us privately before disclosing it publicly. We take all reports seriously and aim to respond within 48 hours.
Report a vulnerabilityIf you have specific security requirements — DPA requests, penetration test results, or enterprise security review — get in touch.
Contact us