Security you can send to your CISO.
Pastel reads confidential deal information, so security is a first-class part of the product. Encryption, isolation, permissioned access, audit trails, and human-in-the-loop controls are built in from day one.
Standards we hold ourselves to.
We build for teams that handle confidential deal work. That means documented controls, not just good intentions.
SOC 2 Type II
In progressImplementing the Trust Services Criteria across security, availability, and confidentiality. Bridge letter available on request.
GDPR & UK GDPR
CompliantData Processing Addendum, Standard Contractual Clauses, and UK IDTA available for customers in the EEA and UK.
Encryption standards
ActiveAES-256 at rest and TLS 1.2+ in transit. Keys managed via cloud-provider KMS with regular rotation.
Data Processing Addendum
AvailableStandard DPA with enterprise customers, including subprocessor transparency and incident-notification commitments.
How your data stays yours.
Encryption, isolation, and a strict no-training policy for customer content.
Encryption
AES-256 at rest, TLS 1.2+ in transit. Keys managed via cloud-provider KMS with automated rotation and envelope encryption for sensitive fields.
Tenant isolation
Every customer workspace is logically isolated. Deal and portfolio data never cross fund boundaries. Optional single-tenant deployment is available for enterprise customers.
No model training
Customer content is never used to train generative models. We run inference against foundation models under data-processing agreements that prohibit retention.
Access that respects deal discretion.
Authentication, permissions, and traceability built around how deal teams actually work.
SSO & MFA
SAML and OIDC single sign-on with enforced multi-factor authentication. No password-only access in the default configuration.
Role-based access
Granular workspace permissions. Scope access by deal, by stream, and by user role. Enforce least-privilege without stopping the work.
Audit trail
Every administrative and agent action is logged with the actor, target, timestamp, and source link. Exportable to your SIEM.
Human-in-the-loop
Outbound agent actions (Slack, email, document requests) require explicit approval before they leave Pastel. No surprises for portfolio CFOs.
Resilience you don't have to think about.
Production workloads run on hardened AWS infrastructure with documented recovery and availability targets.
Hosted on AWS
All production workloads run on AWS in hardened VPCs. Region residency (EU, UK, US) available for enterprise customers.
Backup & recovery
Daily encrypted backups with point-in-time recovery. Documented RPO and RTO for production data, tested quarterly.
High availability
Multi-AZ architecture with automatic failover. Rolling deploys; zero-downtime migrations; status published at status.getpastel.ai.
How we build the product itself.
Security is enforced at the development boundary, not bolted on afterward.
Code review
Every change is peer-reviewed. No direct-to-main commits; branch protection enforced for all production repositories.
Dependency & secret scanning
Automated vulnerability scanning on every build. Secret scanning in CI. Known-bad dependencies block merges.
Annual penetration test
Third-party penetration test annually with remediation tracking. Executive summary available under NDA on request.
Threat modeling
Security review required for features that touch authentication, data access, or outbound agent actions.
Prepared for the worst day.
We hope never to use these runbooks. We practice them anyway.
Detect
Continuous monitoring, alerting, and on-call rotation. Internal severity classification within 30 minutes of detection.
Contain & investigate
Defined runbooks for containment. Incident commander appointed for severity-1 and severity-2 events.
Notify
Affected customers notified within 24 hours of confirming a qualifying security incident, per our Data Processing Addendum.
Remediate & learn
Post-incident review within 10 business days. Structural fixes tracked to completion; summary shared with impacted customers.
Every service we rely on, listed.
A current list of subprocessors who may handle customer data on our behalf. We notify customers before adding new ones.
Send it to your CISO and legal team.
Request the full pack: DPA, subprocessor list, pen-test summary, and answers to your security questionnaire. Usually returned within two business days.
Or email security@getpastel.ai directly.