Security

1. Our Commitment

SellSideHQ processes confidential documents — letters of intent, financial statements, CIM source materials, and transaction data — on behalf of M&A professionals. We take a security-first approach to ensure that your data is protected at every stage, from upload through processing to storage and deletion.

SellSideHQ implements commercially reasonable administrative, technical, and organizational safeguards designed to protect your data. However, no internet-based system or cloud platform can guarantee absolute security, and users acknowledge that the transmission and storage of electronic data involves inherent risks.

2. Encryption

All data is encrypted both in transit and at rest:

• In transit: All connections use TLS 1.2 or higher. Every request between your browser, our servers, and third-party services is encrypted using industry-standard HTTPS protocols.
• At rest: Uploaded documents, generated outputs, and stored data are encrypted using AES-256 encryption. Encryption keys are managed through our cloud infrastructure provider's key management service.

3. AI Data Handling

SellSideHQ uses Anthropic's Claude API for document analysis, CIM generation, and other AI-powered features. We have selected Anthropic specifically because of their strong data protection commitments for commercial API customers:

• Your data is NOT used to train AI models. Under Anthropic's commercial API terms, data submitted through the API is not used for model training or improvement.
• We transmit only the text content necessary for processing. We do not send your personal account information, payment details, or other non-essential data to AI providers.
• AI processing results are returned directly to our servers and stored in your user-scoped workspace. They are not cached or retained by the AI provider beyond the duration of the API request.

AI providers may temporarily process submitted content for the purpose of completing the requested API transaction. SellSideHQ relies on the contractual terms and representations of such providers regarding data handling. SellSideHQ does not independently control or audit the internal systems of third-party AI providers.

4. Access Controls

We implement strict access controls to ensure your data is accessible only to you:

• Authentication: User authentication is managed through Clerk, providing secure session management, multi-factor authentication options, and industry-standard identity verification.
• User-scoped data isolation: All uploaded documents, generated outputs, CIM projects, and analysis results are scoped to your user account. There is no shared access between accounts unless explicitly configured through team features on Enterprise plans.
• Internal access: Access to production systems and customer data is limited to essential personnel on a need-to-know basis. We do not manually review your documents or outputs unless you request support assistance.

5. Infrastructure Security

Our infrastructure is designed to maintain the highest standards of availability and security:

• Application hosting is performed using infrastructure providers that maintain security certifications such as SOC 2 Type II or ISO 27001, where applicable. SellSideHQ relies on these providers as part of its overall infrastructure security strategy.
• Regular security assessments and dependency vulnerability scanning
• Environment variable management for secrets and API keys — credentials are never stored in code repositories
• Rate limiting and abuse prevention controls across all API endpoints

6. Shared Responsibility

SellSideHQ operates using a shared responsibility model for security. SellSideHQ is responsible for maintaining the security of the platform infrastructure, application code, and internal operational controls. Users are responsible for maintaining the security of their own account credentials, devices, networks, and the confidentiality of documents they choose to upload to the Service.

Users are responsible for:

• Safeguarding account credentials
• Maintaining the security of their local systems
• Managing user access within their organizations
• Ensuring that documents uploaded to the Service may legally be processed by SellSideHQ

SellSideHQ is not responsible for security incidents arising from compromised user credentials, misconfigured user permissions, or unauthorized access to user-controlled devices or systems.

7. SOC 2 Alignment

Our security practices are designed to align with the SOC 2 Type II Trust Service Criteria, including:

• Security: Protection against unauthorized access through authentication, encryption, and network controls
• Availability: System monitoring and incident response procedures to maintain service reliability
• Confidentiality: Safeguards for sensitive information including M&A documents, financial data, and generated deliverables
• Privacy: Data handling practices that respect user privacy rights, including Virginia (VCDPA) and California (CCPA/CPRA) privacy regulations

We are committed to formalizing these practices through independent SOC 2 Type II certification as we scale. If you require a detailed security questionnaire or vendor assessment, please contact us directly.

8. Data Retention & Deletion

We retain your data only as long as necessary to provide the Service:

• Uploaded documents and generated outputs are retained while your account is active
• Upon account deletion, all associated data is purged within 30 days
• You may request deletion of specific projects or documents at any time
• Temporary processing files are automatically cleaned up after generation is complete

Certain system logs, backup records, or security monitoring data may be retained for a limited period for fraud detection, legal compliance, or security auditing purposes. For complete details on data retention, see our Privacy Policy.

9. Responsible Disclosure

If you discover a security vulnerability in our Service, we encourage responsible disclosure. Please report any findings to security@sellsidehq.ai. We will acknowledge receipt within 48 hours and work to address confirmed vulnerabilities promptly.

10. Incident Response

SellSideHQ maintains internal procedures designed to identify, investigate, and respond to potential security incidents. In the event that SellSideHQ becomes aware of a confirmed security incident that materially affects customer data, we will take reasonable steps to:

• Investigate and contain the incident
• Mitigate potential impacts
• Notify affected users where required by applicable law

Notification timelines may depend on the nature of the incident and legal requirements under applicable data protection laws, including the Virginia Consumer Data Protection Act (VCDPA). SellSideHQ may also coordinate with infrastructure providers, security partners, and law enforcement where appropriate.

11. Security Limitations

While SellSideHQ implements commercially reasonable safeguards to protect data, the Service operates on cloud infrastructure and relies on third-party service providers. Accordingly:

• SellSideHQ does not guarantee that the Service will be free from security vulnerabilities or cyber threats.
• No system connected to the internet can be considered completely secure.
• You acknowledge that the storage and transmission of electronic information carries inherent risk.

To the maximum extent permitted by applicable law, SellSideHQ disclaims liability for unauthorized access, disclosure, alteration, or destruction of data resulting from circumstances beyond our reasonable control, including acts of cybercrime, infrastructure provider outages, or force majeure events.

12. Questions?

For security-related questions, vendor assessments, or to request additional documentation, contact us at security@sellsidehq.ai.