Codekeeper Transaction services
Book a demo Start a deal
Security & sovereignty

Your deal never leaves the room.

Deal materials are the most sensitive data class there is — unreleased code, and the existence of the deal itself. The architecture starts from that fact. Everything on this page is documented, auditable, and part of the security review pack.

The pack goes to your work email — architecture overview, sovereignty documentation, and compliance status. One email, no sequences.
Sovereign secure AI

Our private environment. Your region. Never sent to AI vendors.

Every AI feature — scanning synthesis, IP clause analysis, report narrative — runs inside our private environment, in the region that holds your deal. Your materials are never sent to AI vendors and are never used for training. Details are in the security review pack.

European Union Live

Amsterdam. Sovereign hosting with EU-controlled managed services; the home region of the platform and of Codekeeper B.V.

United States Live

Virginia. Fully isolated US environment for US-law deals — same architecture, same controls, US-resident data.

Additional regions On request

UK (London) and other jurisdictions with in-region inference support, provisioned per deal on request — the same architecture and controls, stood up in the region your deal requires.

The deal region is chosen at deal creation. All processing, storage, inference, and replicas stay in-region for the life of the deal — including the 3-year retention term.
Architecture overview

Defense in layers, per deal.

Deal-scoped isolation

Every permission decision is evaluated per deal, per role, per stage — and enforced a second time at the database layer with row-level security.

Envelope encryption

TLS 1.3 in transit, AES-256 at rest. Deposits are envelope-encrypted with per-deal data keys held in a KMS/HSM in the deal’s region.

Egress-free sandboxes

All code handling — clone, build, scan — runs in ephemeral micro-VMs with no network egress. Outputs leave only through the findings contract.

WORM-locked seals

Sealed snapshots and IP Packages sit under object lock in separate storage accounts — immutable for the full retention term, by construction.

Hash-chained audit log

An append-only event log per deal. Any tampering breaks the chain; the chain is part of what gets sealed at closing.

Dual-controlled access

Production access uses short-lived credentials and hardware keys. Support access to deal materials requires two people — and shows up in your audit log.

The audit trail

Every action, visible to both sides.

Each deal carries an append-only, hash-chained event log — every view, download, sync, scan, and sign-off. Counsel can export it; disputes can rely on it. Even our own support access is dual-controlled and appears in your log.

Project Meridian · audit trail
12 Aug 14:02:11 Buyer counsel viewed IP clause map (read-only, watermarked)
12 Aug 13:47:52 Delta scan completed — 2 findings closed, 0 opened
12 Aug 13:44:03 Repository sync: 23 repos, 14 commits ingested (GitHub webhook)
12 Aug 11:20:38 Seller uploaded contractor agreement — classified, parsed, indexed
11 Aug 17:55:19 Release condition updated: dual sign-off · buyer + seller counsel
11 Aug 09:12:44 Report v4 generated against room state a3f9…c41d
Compliance

Certified, audited, and built for regulated deals.

Codekeeper is ISO 27001 certified, and Transaction Services runs on the same information-security management system. Deal materials are handled to GDPR standards, with processing kept in your deal's region — supporting the frameworks your compliance team reports against.

ISO 27001 ISO 22301 SOC 2 GDPR DORA NIS2
Current certification details are in the security review pack

Put this in front of your security team.

The review pack answers the questionnaire before it's sent.

Get the security review pack Book a fund demo