01
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest for every stored document, handled by the platform.
Security & GDPR
UK-built. UK-hosted.
Audited underneath.
Exactly how 99 Data Rooms keeps your documents safe: where they live, who can reach them, the controls you hold, and the audited platforms it all runs on. No hand-waving.
Built on audited infrastructure
Certified where it counts.
We don't run our own data centres. 99 Data Rooms runs on platforms that are independently audited to the standards enterprise security teams ask for, in a UK region.
SupabaseData layer
SOC 2 Type IIISO 27001
Database, storage, authentication and edge functions. Your documents and their data live here, in the London region.
CloudflareEdge & firewall
SOC 2 Type IIISO 27001:2022ISO 27018ISO 27701PCI DSS L1
Frontend delivery and DNS, with a web application firewall and DDoS protection in front of every request.
Backups & recoveryResilience
AutomatedEncryptedUK region
Every document and record is backed up automatically and encrypted at rest, in the UK region, so nothing is lost if something breaks.
The SOC 2 and ISO certifications above are held by Supabase and Cloudflare, our infrastructure providers. 99 Data Rooms runs on their audited platforms and does not claim to have completed those audits itself. Stored data is resident in the UK; a Data Processing Agreement is available on request.
Our own controls
What we do on top.
02
Row-level security
Every database query is scoped to your identity in Postgres. No cross-tenant leaks by construction.
03
Short-lived signed URLs
Storage is never public. Access is granted through signed URLs that expire in minutes, re-issued per view.
04
Controls on every link
Email gate, one-time-code verification, NDA acceptance, expiry, max views and one-click revocation.
05
Hardened edge
Cloudflare WAF and IP rate limiting on every public endpoint; isolated edge runtime for server logic.
06
Audit trail
A page-by-page visit log per share link, retained 24 months, visible in your own analytics.
Responsible disclosure
Found a vulnerability?
Email datarooms@99developer.com with reproduction steps. We acknowledge within one business day and remediate critical issues within seven days. No bounty yet, but we will credit you.
Compliance, plainly
- UK GDPR and Data Protection Act 2018 aligned
- Runs on SOC 2 Type II and ISO 27001 platforms (Supabase and Cloudflare)
- Data stored in the UK (London); DPA on request
- Full data export and account deletion within 30 days
- No third-party trackers running on your viewers
DPA available on request, see /legal/dpa.
“Security on a document-sharing product is a hygiene bar, not a marketing one. We publish what we actually do, name the platforms we stand on, and sign a DPA on request.”