Security

Last updated: March 5, 2026

Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. This applies to uploaded deal files, extracted financial data, generated memos, and all account metadata.

Data isolation

Every firm's data is logically isolated. Your deals, memos, pro formas, and institutional memory are scoped to your firm and are never accessible to other organizations on the platform.

We do not train on your data

Your uploaded documents and generated outputs are never used to train AI models, shared with third parties, or used for any purpose beyond delivering the product functionality you requested.

Access controls

crematic enforces role-based access controls at the API level. Analyst and viewer roles restrict what actions team members can take. All access events are logged in an immutable audit trail available to firm administrators.

SOC 2

Our controls are aligned to SOC 2 Trust Services Criteria. If and when an independent SOC 2 attestation report is available, eligible customers can request access under confidentiality terms. Contact us at security@crematic.app or use the security contact form to request documentation.

Vulnerability disclosure

If you discover a security vulnerability, please report it responsibly to security@crematic.app or through the security contact form. We target an initial response within 48 hours and coordinate remediation before public disclosure when feasible.