Security is not a feature.
It's the foundation.
Your fundraising data is some of the most sensitive information your company has. We treat it that way. Fund54 is built with security at every layer of the stack.
Six layers of protection
Encryption in Transit
All data transmitted between your browser and Fund54 is encrypted with industry-standard protocols. API calls, file uploads, and authentication are always protected.
HTTPS enforced on every connection. No exceptions.
Encryption at Rest
Your database and file storage are encrypted at rest using industry-standard encryption. Data room files are stored in isolated, encrypted object storage.
Automatic key rotation. Server-side encryption on all stored data.
Data Access Controls
Every query is scoped to the authenticated user. Access policies are enforced at the database layer — users only see data they are explicitly authorized to access.
Fine-grained, policy-based data isolation between workspaces.
Secure File Access
Data room files are served through time-limited, authenticated URLs that expire automatically. No permanent links to sensitive documents exist.
Every file access is authenticated and logged.
Comprehensive Audit Logs
All data room access, file views, profile visits, and permission changes are logged with timestamps and user identifiers.
Founders see exactly who viewed their materials and when.
Secure Authentication
Passwordless authentication with rate-limited login attempts, automatic session management, and secure cookie handling. PKCE (Proof Key for Code Exchange) protects the OAuth flow against interception attacks.
Magic link authentication with PKCE. No passwords to steal or leak.
How your data flows
Every request passes through multiple security checkpoints before reaching your data.
Security practices
Beyond encryption and access control, here's what we do to keep your data safe.
Role-Based Access Control
Fine-grained permissions control who can edit profiles, manage data rooms, invite team members, and access sensitive data.
Rate Limiting & Abuse Prevention
Authentication and sensitive endpoints are rate-limited to prevent brute force attacks, automated scraping, and abuse.
Input Validation
All user inputs are validated and sanitized server-side. Common attack vectors are prevented by design.
Regular Security Updates
We regularly audit and update all components. Known vulnerabilities are patched promptly after disclosure.
Workspace Isolation
Each workspace is completely isolated. There is no way for one workspace to access another workspace's data.
No Third-Party Tracking
We do not use third-party analytics, tracking pixels, or ad networks. Your fundraising data stays between you and Fund54.
Content Security Policy (CSP)
Strict Content Security Policy headers prevent cross-site scripting (XSS), code injection, and unauthorized resource loading across the entire application.
eIDAS Level 2 Electronic Signatures
Document signing uses Advanced Electronic Signatures compliant with eIDAS Level 2. Signatures are uniquely linked to the signatory, include tamper-evident seals, and are backed by a full audit trail.
Have a security concern?
If you discover a vulnerability or have questions about our security practices, we want to hear from you.