Security & Trust
Built for confidential
deal flow.
Investment firms trust Pipedoc with their most sensitive documents — CIMs, teasers, deal memos, portfolio financials. This page describes exactly how we handle, store, and protect that data.
Pipedoc is a product of Aster Labs, Inc.
At a glance
SOC 2 compliant
Aster Labs maintains an active SOC 2 program. The full trust report — including the SOC 2 attestation, our security policies, and current control status — is available on request.
Encrypted in transit and at rest
All traffic is encrypted using TLS 1.2 or higher. Documents and extracted data are encrypted at rest using AES-256. Production access is restricted, role-based, and audited.
Logically isolated per firm
Each customer organization's data is logically isolated. Documents are never shared between firms, and authorization checks run on every read.
No model training on your data
Your documents and extracted data are never used to train or fine-tune any AI model — by us or by our sub-processors. Enterprise contracts with our AI providers prohibit it.
Sub-processors
Who touches your documents.
Document processing relies on a small number of AI sub-processors. We disclose them explicitly so you and your legal counsel can evaluate the full data path before signing.
AI Sub-processor
OpenAI
Used for document text extraction and embedding generation. API contract prohibits training on or human review of customer data.
AI Sub-processor
Anthropic
Used for chat-based document analysis and reasoning. API contract prohibits training on or human review of customer data.
Bring your own AI API keys
For firms that prefer to keep AI processing under their own provider contracts, Pipedoc supports bringing your own OpenAI and Anthropic API keys. Your documents are processed against your account, your terms, and your data-handling agreements. Available on enterprise plans — talk to us about your setup.
No other third parties access document contents. Infrastructure providers (cloud hosting, storage, database) handle encrypted data at rest and do not process document contents. A current sub-processor list and DPA are available on request.
Data lifecycle
In transit
Documents are uploaded over TLS 1.2+ directly to our secure storage. Internal service-to-service traffic is also encrypted.
At rest
Documents and structured extractions are encrypted at rest with AES-256. Per-organization isolation is enforced at the data layer.
Retention
Documents are retained only as long as necessary to deliver the service. Specific retention windows and deletion timelines are defined in the service agreement and can be customized to your firm's requirements.
Frequently asked questions
Where does our data go?
Documents are processed on secure cloud infrastructure dedicated to Pipedoc. Each firm's data is logically isolated and never shared with other customers. Documents are transmitted to our processing environment, structured data is extracted, and the result is delivered back to you and synced to your systems of record.
Is our data used to train AI models?
No. Your documents and the data extracted from them are never used to train or fine-tune any AI model — by us or by our AI sub-processors. Our API contracts with OpenAI and Anthropic explicitly prohibit it.
How is data secured in transit and at rest?
All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Access to production systems is restricted, role-based, and audited. Authentication and authorization are enforced on every request.
What happens to documents after processing?
Documents are retained only as long as necessary to deliver the service. Retention policies and specific deletion timelines are defined in the service agreement and can be customized to your firm's requirements.
Who at Pipedoc can access our data?
Access to customer data is limited to a small number of engineers with a direct operational need (for example, debugging a specific support request you've raised). All team members are bound by confidentiality obligations. We do not have third-party data processors performing human review of your documents.
What contractual protections are in place?
Every engagement is governed by a service agreement with confidentiality provisions covering all deal documents and extracted data. Custom NDAs and DPAs are available on request prior to any document processing.
What compliance certifications do you hold?
Aster Labs is SOC 2 compliant. Our full trust report — including the SOC 2 attestation, security policies, and current controls — is available on request. We're happy to walk through it directly with your team or legal counsel.
What if there's a security incident?
We maintain an incident response plan. In the event of any unauthorized access to customer data, affected firms are notified promptly and in accordance with applicable data protection requirements.