How does the AI evaluation work?

Our system uses a multi-model orchestration approach with startup-specific evaluation personas. It analyzes your input across relevant frameworks and returns structured scores, risk signals, and recommendations with transparent reasoning.

Can I export investor-ready reports?

Yes, all reports can be exported as professional, high-fidelity PDFs specifically designed for investors. You can also share live, interactive evaluation links with mentors or stakeholders.

How secure is my proprietary data?

We use AES-256 encryption at rest and TLS in transit. We do not use your private startup data to train public AI models. We are building toward SOC 2 Type II certification on cloud infrastructure with strict access controls.

Do you offer custom frameworks for VCs?

Absolutely. Our Enterprise tier allows VC firms and accelerators to digitize their own internal evaluation methodologies and run their entire deal flow through our structured scoring engine.

Security — VentureMerit

Security

Your Data. Protected with Enterprise-Grade Security.

We handle your most sensitive business intelligence — startup strategies, competitive analyses, and financial projections. That's a responsibility we take seriously. Here's how we protect it.

SOC 2 Ready

Type II aligned controls

GDPR Compliant

EU data protection

AES-256 Encryption

Data at rest

TLS 1.3

Data in transit

Encryption

Multi-Layer Data Protection

Your evaluation data is protected with the same encryption standards used by banks and government agencies.

Encryption at Rest (AES-256)

All stored data — evaluations, reports, user profiles, and workspace content — is encrypted using AES-256, the gold standard for data-at-rest encryption. Encryption keys are managed via Hardware Security Modules (HSMs) with automatic rotation.

Encryption in Transit (TLS 1.3)

Every API call, page load, and data transfer between your browser and our servers is protected with TLS 1.3 — the most current transport-layer security protocol. No data traverses our network unencrypted.

Database-Level Isolation

Multi-tenant data architecture ensures your workspace data is logically isolated from other customers. Institutional plans offer fully dedicated database environments with physical isolation.

Secret Management

API keys, tokens, and credentials are stored in a dedicated secrets management system with access logging and automatic rotation — never in source code, environment files, or plain text.

Access

Identity & Access Management

Granular controls that ensure only the right people access the right data.

SSO / SAML 2.0 Integration

Single sign-on via Okta, Azure Active Directory, Google Workspace, or any SAML 2.0 identity provider. Centralized identity management with your existing directory.

Role-Based Access Controls (RBAC)

Fine-grained permissions system with pre-built roles (Admin, Editor, Viewer, Analyst) and custom role creation. Control who can create, edit, share, or delete evaluations at the workspace level.

Multi-Factor Authentication (MFA)

Optional MFA enforcement via authenticator apps (TOTP) or hardware security keys (WebAuthn). Institutional plans can mandate MFA for all team members.

Session Management

Configurable session timeouts, concurrent session limits, and remote session revocation. Admins can force logout for any team member from the dashboard.

Monitoring

Continuous Monitoring & Audit

Real-time visibility into security events, access patterns, and compliance status.

Comprehensive Audit Logging

Every action — login, evaluation creation, report export, permission change, API call — is logged with timestamp, user identity, IP address, and action details. Audit logs are immutable and retained for 12 months.

Anomaly Detection

Automated monitoring for suspicious access patterns, unusual data exports, brute-force login attempts, and geographic anomalies. Real-time alerts for security events.

Infrastructure Monitoring

24/7 infrastructure monitoring with automated alerting for uptime (99.9% SLA), performance degradation, capacity thresholds, and security events. Automated incident response procedures.

Regulatory Compliance

Platform controls aligned with GDPR (EU), India DPDP Act, SOC 2 Type II, and ISO 27001. Data residency options for regional compliance requirements.

AI Security

AI-Specific Data Protection

Your startup data is your intellectual property. Here's how we protect it in the AI evaluation pipeline.

No Training on Your Data

Your evaluation data is never used to train, fine-tune, or improve our AI models. Your startup descriptions, business strategies, and competitive analysis remain completely confidential and are used solely for your individual evaluation.

Ephemeral Processing

AI processing occurs in isolated, ephemeral environments. Your data is not persisted in the AI processing layer — it enters, is evaluated, and the results are stored in your encrypted workspace. No cross-contamination between users.

Transparent AI Providers

We use enterprise AI API agreements with strict data protection clauses. Our AI providers do not retain, log, or train on evaluation data processed through our API endpoints.

Disclosure

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly to security@VentureMerit.com. We commit to:

Acknowledging your report within 24 hours
Providing a timeline for remediation within 72 hours
Keeping you informed of our progress
Crediting you in our security acknowledgments (with your permission)

Please do not publicly disclose the vulnerability until we've had a reasonable opportunity to address it.

Have Security Questions?

Our security team is available to discuss compliance requirements, conduct architecture reviews, or provide additional documentation for your security assessment.