Dealspace Assistant
-Last updated: February 28, 2026
-- This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Muskepo B.V. ("Processor") for the provision of Dealspace services. This DPA governs the processing of personal data in accordance with GDPR Article 28 and other applicable data protection laws. -
-- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1). -
-- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2). -
-- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. -
-- "Data Subjects" means the individuals whose Personal Data is processed under this DPA. -
-- "Confidential M&A Transaction Data" means all documents, communications, and information uploaded to or generated within Dealspace in connection with mergers, acquisitions, due diligence, or related transactions. -
-- The Processor processes Personal Data to provide Dealspace services including document storage, access management, request workflow, communication facilitation, and audit logging for M&A transactions. -
- -- Processing includes storage, retrieval, transmission, encryption, watermarking, and deletion of Personal Data as necessary to provide the services described in the Terms of Service. -
- -- Processing continues for the duration of the service agreement plus any retention period required by law or agreed with the Controller. -
-- The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law. The Processor shall inform the Controller of any such legal requirement before processing, unless prohibited by law. -
- -- The Processor shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. -
- -- The Processor implements technical and organizational measures to ensure a level of security appropriate to the risk, including: -
-- The Processor shall not engage Sub-processors without prior specific or general written authorization from the Controller. In the case of general authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller an opportunity to object. Sub-processors are bound by equivalent data protection obligations. -
- -- The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any such requests received directly. -
- -- The Processor shall assist the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required. -
- -- Upon termination of the service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires storage. The Controller has 30 days following termination to export data before deletion. -
- -- The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. For Enterprise customers, specific audit procedures and schedules may be agreed in writing. -
-The Controller warrants that:
-- In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include: -
-- The Processor shall cooperate with the Controller in investigating and remediating the breach and in meeting notification obligations to supervisory authorities and Data Subjects. -
-- The Processor may transfer Personal Data outside the European Economic Area only where appropriate safeguards are in place, including: -
-- The current list of data processing locations and applicable transfer mechanisms is available upon request. -
-- The Controller grants general authorization for the use of Sub-processors subject to the requirements of Section 3.4. Current Sub-processors include: -
- -| Sub-processor | -Purpose | -Location | -
|---|---|---|
| Infrastructure Provider | -Cloud infrastructure | -EU / US | -
| Stripe, Inc. | -Payment processing | -US | -
| AI Embedding Provider | -Document matching (zero retention) | -US | -
- The Controller will be notified of Sub-processor changes via email at least 30 days in advance, with the opportunity to object. -
-- The Processor maintains the following certifications and compliance measures: -
-- Copies of relevant certifications and audit reports are available to Enterprise customers under NDA. -
-- Liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Each party shall be liable for damages caused by processing that infringes GDPR or this DPA to the extent provided by applicable law. -
-- This DPA is effective from the date the Controller begins using Dealspace and continues until termination of all service agreements. Sections that by their nature should survive termination will survive, including data deletion, audit rights, and confidentiality obligations. -
-- This DPA is governed by the laws of the Netherlands. The competent courts of Amsterdam have exclusive jurisdiction over disputes arising from this DPA. -
-
- Data Protection Officer:
- privacy@dealspace.io
-
- For Enterprise customers requiring executed DPAs or custom terms, contact legal@dealspace.io. -
-- Not another document repository with features bolted on. Dealspace is designed from first principles for how M&A transactions actually work. -
-- Traditional VDRs are document-centric — you upload files into folders and hope people find them. Dealspace flips the model: the Request is the unit of work. -
-Issue specific, trackable requests to the seller. No ambiguity about what's needed.
-Open, assigned, answered, vetted, published. Know exactly where every request stands.
-Every request has a complete thread — comments, clarifications, status changes. Full context, always.
-- Most users are workers, not deal managers. When the accountant logs in, they see their task inbox — not a deal room, not workstream dashboards. Just: what do I need to do today. -
-Finance team sees Finance. Legal sees Legal. No information overload.
-Assignees see only their tasks. Complete one, it routes to the next person automatically.
-Buyers only see published answers. Internal routing is invisible to external parties.
-- When a buyer submits a question, AI searches for existing answers. Match found? Human confirms, answer broadcasts to everyone who asked the same thing. One answer, many recipients. -
-Not just keyword matching. AI understands that "revenue breakdown" and "sales by segment" are the same question.
-AI suggests, human confirms. No answer goes out without explicit approval.
-Deal data never trains AI models. Private data stays private.
-- Not everyone needs to log into another platform. Participants can respond via email, Slack, or Teams. Requests route to people wherever they are. -
-Reply to request notifications directly from your inbox. Attachments included.
-Get notified in your existing channels. Respond without context switching.
-Basic responses work without an account. Full features available in the web app.
-- Every access, every download, every routing hop — logged. When compliance asks "who saw what when," you have the answer. -
-Who viewed which document, when, and from where. IP addresses, timestamps, duration.
-Every file download recorded. Watermarked with user identity for leak tracing.
-Full chain of custody. Who assigned, who approved, who published — every transition logged.
-- 30-minute demo. See how Dealspace transforms M&A workflow. -
- - Request a Demo - -- Dealspace is the M&A workflow platform that Investment Banks trust. Request-centric. Role-based simplicity. Real security. No per-MB extortion. -
- -Trusted by leading investment banks and advisors
-- Document-centric platforms bury your team in folders. Dealspace flips the model: the Request is the unit of work. Your accountant sees their 3 tasks — not the entire deal room. -
-- Not another document repository with features bolted on. Designed from first principles for M&A workflow. -
-The Request is the unit of work. Every question, every answer, every status update — tracked, routed, and resolved.
-Your accountant sees their 3 tasks. Your CFO sees the big picture. Same platform, different experience.
-Buyer question matches existing answer? AI suggests it. Human confirms. One answer broadcasts to all who asked.
-FIPS 140-3 crypto. Per-deal encryption keys. Dynamic watermarks on every document. Full audit trail.
-Email, Slack, Teams — participants work in their existing tools. No login required for basic responses.
-Every access, every download, every routing hop — logged. Your compliance team will thank you.
-- From request list to data room — a clear workflow that keeps everyone on track. -
-Configure workstreams, invite participants, issue structured requests to the seller.
-Internal routing to the right people. Upload documents. Mark complete.
-Quality control. Approve to publish, reject with feedback. Full control.
-Submit questions, AI matches to existing answers, unmatched routes for resolution.
-- Competitors charge $20/MB for "secure storage." We charge for the platform, not your data. Storage at actual cost. -
- -Perfect for boutique advisors running smaller transactions.
- View details → -For mid-market deals with AI matching and unlimited participants.
- View details → -For bulge bracket banks. SSO, custom SLA, dedicated support.
- Contact sales → -- See how Dealspace transforms M&A workflow. 30-minute demo, no commitment. -
- - -- Competitors charge $20/MB for "secure storage." We charge for the platform. Storage at actual cost. No per-document fees. No hidden charges. -
-Perfect for boutique advisors and smaller transactions.
-For mid-market advisors running multiple transactions.
-For bulge bracket banks and large advisory firms.
-- Need more than your plan includes? Storage is priced at actual cost — no markups. -
-No per-document fees. No bandwidth charges. Just storage.
-Real pricing on a 50GB deal with 100 participants.
-- Competitor pricing based on public rate cards as of February 2026. Your mileage may vary. -
-An active deal that hasn't been archived. Once a deal closes and you archive it, it no longer counts toward your limit. Archived deals remain accessible for audit purposes.
-Yes. 14 days, full Professional tier features, no credit card required. Run a real deal on us.
-We'll notify you and add the overage at $0.10/GB. No surprise charges — you'll see it before you're billed.
-Upgrades are prorated immediately. Downgrades take effect at the next billing cycle. No penalties either way.
-Yes. Pay annually and save 15%. Enterprise customers can negotiate custom terms.
-4-hour response time during business hours, dedicated Slack channel, and access to our senior support engineers.
-- 14-day free trial. No credit card required. Full Professional features. -
- -Last updated: February 28, 2026
-- Dealspace is a platform for managing confidential M&A transaction data. We understand the sensitivity of the information you entrust to us. This policy describes how we collect, use, and protect that data. -
-
- Muskepo B.V.
- Herengracht 555
- 1017 BW Amsterdam
- The Netherlands
- Chamber of Commerce: 92847293
- VAT: NL866012843B01
-
- Name, business email address, organization name, and job title. This information is required to create an account and manage access to deals. -
- -- Documents, requests, responses, and communications uploaded to or generated within the platform. This includes confidential M&A transaction materials, due diligence documents, and related correspondence. -
- -- IP addresses, access timestamps, browser type, and activity logs. This information is collected for security purposes, audit trail requirements, and service optimization. -
- -- Payment processing is handled by third-party providers (Stripe). We do not store credit card numbers or bank account details. We receive only transaction confirmations and billing addresses. -
-We use the information we collect to:
-- We do not: -
-We process your data based on:
-We share data only in the following circumstances:
- -- Transaction data is shared with authorized participants within each deal according to the access permissions configured by deal administrators. -
- -- We use carefully selected third-party providers for infrastructure, payment processing, and support operations. These providers are bound by data processing agreements and process data only on our instructions. -
- -- We may disclose data when required by law, court order, or governmental authority. We will notify you of such requests where legally permitted. -
- -- In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and ensure the receiving party is bound by equivalent data protection obligations. -
-We protect your data with:
-- For detailed security information, see our Security page. -
-- Active accounts: Data is retained for the duration of your subscription and any active deals. -
-- Archived deals: Retained for 7 years after deal closure for regulatory and audit purposes, unless you request earlier deletion. -
-- Account deletion: Upon account termination, personal data is deleted within 30 days. Transaction data associated with active deals of other parties is retained per those deals' retention policies. -
-- Backups: Deleted data may persist in encrypted backups for up to 90 days before being overwritten. -
-- Dealspace operates infrastructure in the European Union and the United States. Data may be transferred between these regions. For transfers outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission. Enterprise customers may request data residency in specific regions. -
-Under GDPR and applicable privacy laws, you have the right to:
-- To exercise these rights, contact privacy@dealspace.io. We will respond within 30 days. -
-- We use essential cookies to maintain your session and preferences. We do not use advertising cookies or third-party tracking. Analytics, where used, are privacy-preserving and do not track individuals. -
-- We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to account holders. Continued use of the service after changes constitutes acceptance. -
-
- Data Protection Officer:
- privacy@dealspace.io
-
- You have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). -
-- M&A data is sensitive. People go to prison for leaking it. We built Dealspace with security as the foundation, not an afterthought. -
-Self-Assessed · Type II in progress
- -Validated encryption
-Compliant processing
-Certified ISMS
-- We use the same encryption standards required by US federal agencies. Your deal data is encrypted with AES-256-GCM using FIPS 140-3 validated cryptographic modules. -
-Each deal has its own encryption key derived from a master key. One deal's compromise does not affect others.
-All data encrypted before it touches disk. File content, metadata, comments — everything.
-TLS 1.3 for all connections. Certificate pinning for mobile apps. No data travels unencrypted.
-- Every document is watermarked with the viewer's identity at serve time. If a document leaks, you know exactly who leaked it. -
-Watermark includes user email, organization, timestamp, and deal ID.
-PDF, Word, Excel, images, video. Protection adapts to the format.
-Control watermark content, position, and visibility.
-- Multiple layers of protection. Every access decision goes through the same choke point. No exceptions. -
-SAML 2.0 and OIDC support. Integrate with your existing identity provider. Enforce your organization's auth policies.
-TOTP, hardware keys (FIDO2), SMS backup. MFA required for all access, no exceptions.
-Workstream-level permissions. IB, Seller, Buyer roles with configurable scopes. Least privilege by default.
-Short-lived tokens. Single active session per user. Immediate revocation on access changes.
-Restrict access by IP range. Corporate network only, or specific buyer locations.
-Disable downloads entirely, or allow view-only access. Configurable per document or project-wide.
-- Every action is logged. Access grants, file views, downloads, status changes — all recorded with actor, timestamp, and IP address. -
-- Dedicated infrastructure, redundant storage, continuous monitoring. Your deal data deserves nothing less. -
- -- Talk to our security team. We are happy to answer technical questions and provide documentation. -
- -- Dealspace has completed a comprehensive SOC 2 Type II self-assessment. We are preparing for formal audit certification in Q4 2026. -
-- Note: This is a self-assessment document. Formal SOC 2 Type II audit is planned for Q4 2026. -
-- SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how organizations manage customer data based on five Trust Services Criteria. -
-- For M&A platforms handling confidential deal data, SOC 2 compliance demonstrates a commitment to security, availability, and data protection that investment banks and advisors require. -
-Assessment Date: February 28, 2026
-- Our SOC 2 assessment covers all aspects of the Dealspace platform and infrastructure. -
-- SOC 2 evaluates organizations against five Trust Services Criteria. Dealspace implements controls for all five. -
-Protection against unauthorized access, both physical and logical.
-Systems are available for operation and use as committed.
-Information designated as confidential is protected as committed.
-System processing is complete, valid, accurate, timely, and authorized.
-Personal information is collected, used, retained, and disclosed in conformity with commitments.
-FIPS 140-3 validated AES-256-GCM with per-project keys derived via HKDF-SHA256
-JWT tokens with 1-hour expiry, MFA required for IB users, session management
-Role hierarchy (IB → Seller → Buyer → Observer), invitation-only access
-Swiss data center, UFW firewall, SSH key-only, automatic security updates
-All access logged with actor, timestamp, IP. 7-year retention for compliance
-Daily encrypted backups, 4-hour RTO, 24-hour RPO, tested recovery procedures
-- Our SOC 2 program is supported by comprehensive policy documentation. -
-Complete SOC 2 Type II self-assessment with control mappings
- - - -Security requirements for systems, data, and operations
- - - -Procedures for detecting and responding to security incidents
- - - -Recovery procedures following disasters affecting systems
- - - -Data retention periods and deletion procedures
- - - -Identified risks and mitigation controls
- -Comprehensive self-assessment against all five Trust Services Criteria completed. Policy documentation created.
-Address recommended action items including backup restore testing and external penetration test.
-Engage third-party auditor for formal SOC 2 Type II certification.
-- Contact our security team for detailed documentation or to discuss your compliance requirements. -
- -Last updated: February 28, 2026
-- These Terms of Service ("Terms") govern your use of Dealspace, a deal workflow platform operated by Muskepo B.V. By accessing or using Dealspace, you agree to be bound by these Terms. -
-- Dealspace is a deal workflow platform for managing M&A transactions, due diligence processes, and related document exchanges. The platform provides request tracking, document management, access control, and communication tools. -
- -- Dealspace is a technology platform. It does not provide legal, financial, tax, or investment advice. Users are responsible for obtaining appropriate professional advice for their transactions. Dealspace does not verify the accuracy or completeness of any content uploaded to the platform. -
-- To use Dealspace, you must register an account with accurate and complete information. You are responsible for maintaining the confidentiality of your account credentials and for all activities under your account. -
- -- If you create an account on behalf of an organization, you represent that you have authority to bind that organization to these Terms. The organization is responsible for all activities under accounts it controls. -
- -- Deal administrators are responsible for configuring access permissions within their deals. Dealspace enforces these permissions but is not responsible for access decisions made by administrators. -
-- You may use Dealspace for lawful business purposes related to M&A transactions, due diligence, and similar deal processes. You may upload, share, and manage documents in accordance with your subscription and applicable access permissions. -
- -You agree not to:
-- We may suspend or terminate access for violations of these Terms. In cases of illegal activity, we will cooperate with law enforcement authorities. -
-- You retain ownership of all content you upload to Dealspace. By uploading content, you grant us a limited license to store, process, and transmit that content as necessary to provide the service. -
- -- You are solely responsible for the content you upload, including its accuracy, legality, and compliance with confidentiality obligations. Dealspace does not review, approve, or endorse user content. -
- -- Our handling of personal data is governed by our Privacy Policy and, for enterprise customers, our Data Processing Agreement. -
-- Dealspace, including its software, design, branding, and documentation, is owned by Muskepo B.V. These Terms grant you a limited, non-exclusive, non-transferable license to use the service for its intended purpose during your subscription term. -
- -- If you provide feedback, suggestions, or ideas about the service, you grant us a perpetual, irrevocable, royalty-free license to use that feedback for any purpose. -
-- Fees are described on our Pricing page or in your order form. All fees are in US dollars unless otherwise specified and are exclusive of taxes. -
- -- Payment is due in advance on a monthly or annual basis as selected. We may suspend service for non-payment after reasonable notice. -
- -- Annual subscriptions are non-refundable except as required by law or at our discretion. Monthly subscriptions may be cancelled at any time; no refund is provided for partial months. -
- -- We may change pricing with 30 days notice. Price increases will not affect your current subscription term. -
-- We target 99.9% uptime for Professional plans and 99.99% for Enterprise plans. Uptime commitments and remedies for Enterprise customers are specified in service level agreements. -
- -- We may perform scheduled maintenance with reasonable advance notice. Emergency maintenance may be performed without notice when necessary to protect the service or its users. -
-- You may cancel your subscription at any time through your account settings. Cancellation takes effect at the end of your current billing period. -
- -- We may terminate your access for violation of these Terms, non-payment, or if we discontinue the service. We will provide reasonable notice where possible. -
- -- Upon termination, you will have 30 days to export your data. After this period, we may delete your data in accordance with our retention policies. Provisions that by their nature should survive termination will survive. -
-- THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE. -
-- TO THE MAXIMUM EXTENT PERMITTED BY LAW: -
-- You agree to indemnify and hold harmless Muskepo B.V., its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from your use of the service, your content, or your violation of these Terms. -
-- These Terms are governed by the laws of the Netherlands, without regard to conflict of law principles. -
-- Any disputes arising from these Terms or the service shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands. For Enterprise customers, alternative dispute resolution mechanisms may be agreed in writing. -
-- These Terms, together with our Privacy Policy and any order forms, constitute the entire agreement between you and Muskepo B.V. regarding the service. -
- -- We may modify these Terms by posting updated terms on our website. Material changes will be communicated via email. Continued use after changes constitutes acceptance. -
- -- If any provision is found unenforceable, the remaining provisions will continue in effect. -
- -- You may not assign these Terms without our written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets. -
-
- Questions about these Terms:
- legal@dealspace.io
-