Security at DealPilot

Security is not an add-on at DealPilot — it's a core requirement. We handle sensitive real estate data, KYC records, and AML logs. We take this responsibility seriously.

DealPilot runs on Google Cloud Platform. All customer data is stored in europe-west1 (Belgium), with plans to migrate to me-central2 (Dubai) when fully available.

• Cloud Run for backend services (serverless, fully managed)
• Cloud SQL (PostgreSQL) with encryption at rest
• Cloud Storage with server-side encryption
• Firebase Authentication for auth
• Cloudflare for DDoS protection and CDN

• Firebase Auth with 15-minute token expiry
• Row-level security (RLS) enforced at the database level
• Permission model: Owner, Admin, Manager, Agent
• MFA required for administrative access
• Principle of least privilege for all services

Every data access and modification is recorded in a hash-chained, tamper-evident audit log. The log is stored separately from the main database and cannot be modified or deleted.

We conduct annual penetration testing by an independent third party. Results are available to Brokerage plan customers under NDA.

[REVIEW] Identify penetration testing firm before publishing.

We are on the path to SOC 2 Type II certification:

To submit a Data Subject Request (access, rectification, erasure, portability):

1. Email founder@dealpilot.ae
2. State the type of request and your identifying information
3. We will respond within 30 days
4. We may request identity verification

If you discover a security vulnerability, please report it responsibly: