Built for the most sensitive
deals in finance.
Sigma Diligence handles confidential deal data, management assessments, and board-level materials. Our security architecture is designed to meet the standards PE firms demand — firm-isolated, encrypted at every layer, and fully auditable.
SOC 2 Type II
GDPR
CCPA
Penetration Testing
Security Controls
Defense in depth — controls at every layer of the stack from infrastructure to personnel.
Encryption
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit for all API and web traffic
- Encrypted database credentials and integration tokens
- Client-side encryption available for sensitive document uploads
Tenant Isolation
- Dedicated PostgreSQL schema per client organization
- Isolated vector database namespace per tenant
- No data commingling across organizations
- Row-level security policies enforced at the database layer
Identity & Access
- Auth0-powered authentication with enterprise SSO (SAML, OIDC)
- Multi-factor authentication (MFA) enforcement
- Role-based access control (RBAC) with five granular roles
- Session management with configurable timeout policies
Monitoring & Logging
- Comprehensive audit logs for all user and agent actions
- Real-time anomaly detection on access patterns
- Automated alerting for suspicious activity
- Log retention for 12 months with immutable storage
Infrastructure
- Hosted on AWS with multi-AZ redundancy
- Infrastructure-as-code with automated security scanning
- Container isolation for AI agent execution
- Automated patch management and vulnerability scanning
Personnel Security
- Background checks for all employees with data access
- Mandatory security awareness training
- Principle of least privilege for internal access
- Quarterly access reviews and deprovisioning audits
Certifications & Compliance
We maintain rigorous compliance standards and make audit reports available to customers and prospects.
SOC 2 Type II
In ProgressWe are currently undergoing our SOC 2 Type II audit covering security, availability, and confidentiality. Our security controls are built to meet the standard and certification is expected in 2026.
We are happy to complete security questionnaires and share our control documentation while the audit is in progress.
GDPR
CompliantFull compliance with the EU General Data Protection Regulation, including Data Processing Agreements, Standard Contractual Clauses, and data subject rights.
DPA available for execution.
CCPA
CompliantCompliance with the California Consumer Privacy Act, including consumer rights requests, data disclosure, and opt-out mechanisms.
Penetration Testing
AnnualAnnual third-party penetration testing by an independent security firm. All critical and high findings are remediated within 30 days.
Executive summary available under NDA.
Responsible AI in due diligence
AI handles sensitive material across every deal. These controls govern how it does so.
Zero-retention AI inference
Customer data sent to AI models (OpenAI) is processed under zero-retention agreements. No diligence data is used to train third-party models.
Scoped agent access
AI agents only access data within the workspace and data sources you explicitly authorize. Agents cannot cross tenant boundaries.
Human-in-the-loop
Every AI-generated finding includes a mandatory review checkpoint. Critical findings require human approval before inclusion in reports.
Audit trail for AI actions
Every agent run, finding generation, and evidence retrieval is logged with timestamps, data sources accessed, and token usage.
Security questionnaire or compliance questions?
We're happy to complete your vendor security assessment and share control documentation. SOC 2 Type II audit is currently in progress.