Skip to main content
Deal Matrix
Sign InGet Started

Security at Deal Matrix

We take the security of your data seriously. This page describes our security practices and how to report vulnerabilities responsibly.

Vulnerability Disclosure Policy

We welcome security researchers who help us keep Deal Matrix safe. If you believe you have found a security vulnerability, we encourage you to report it to us responsibly.

Report a Vulnerability

Email security@dealmatrixcrm.com with a description of the vulnerability, steps to reproduce, and any supporting evidence. We will acknowledge your report within 2 business days and aim to provide an initial assessment within 5 business days.

Scope

The following are in scope for responsible disclosure:

  • The Deal Matrix web application at dealmatrixcrm.com
  • The Deal Matrix API
  • Authentication and authorization mechanisms
  • Data isolation between organizations (multi-tenant security)

The following are out of scope:

  • Third-party services (Clerk, Stripe, Supabase) — report directly to those providers
  • Social engineering or phishing attacks against employees or users
  • Denial of service (DoS/DDoS) attacks
  • Physical security of infrastructure
  • Automated scanning without prior written approval

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:

  • Act in good faith and follow this disclosure policy
  • Avoid accessing, modifying, or deleting data belonging to other users
  • Do not degrade the service or disrupt other users
  • Report the vulnerability promptly and do not publicly disclose it before we have had reasonable time to address it
  • Do not use the vulnerability for any purpose other than demonstrating the issue to us

Our Commitments

  • Acknowledge your report within 2 business days
  • Provide an initial assessment within 5 business days
  • Keep you informed of our progress toward resolution
  • Credit you (if desired) when we publicly disclose the fix
  • Not take legal action against researchers acting in good faith

Security Practices

Deal Matrix employs defense-in-depth security measures including:

  • Authentication: Industry-standard authentication with support for multi-factor authentication
  • Tenant Isolation: Strict per-organization data isolation at both the application and database layers, including row-level security policies
  • Encryption: All data encrypted in transit (TLS) and sensitive credentials encrypted at rest (AES-256-GCM)
  • Input Validation: Schema-based validation on all API inputs with parameterized database queries
  • Rate Limiting: Tiered rate limiting across all API endpoints
  • Audit Logging: Comprehensive activity logging for all data operations
  • Security Headers: HSTS, Content Security Policy, X-Frame-Options, and Permissions-Policy enforced on all responses
Security | Deal Matrix | Deal Matrix