We treat your deal data like it's our own.
Overlook is built from the ground up for the sensitivity of commercial real-estate underwriting: signed NDAs, MNPI, borrower PII. Here's how we handle it.
SOC 2 Type II
Audit scheduled — Q3 2026. Report available under NDA.
GDPR ready
EU data residency. DPA signed on request.
Zero retention
OpenAI zero-retention tier. No training on your docs.
Encryption in transit & rest
TLS 1.3, AES-256 on volumes + cloud KMS.
SSO / SAML
Okta, Entra, Google Workspace. Enterprise plan.
Self-hosted deployment
Your VPC, your keys, your model pool.
Data handling
Uploaded documents are encrypted at rest and accessible only to the workspace members you grant access to. Document bytes never leave the region you're deployed in; prompts sent to OpenAI run on the zero-retention API tier, meaning neither the content nor the completions are used to train any model.
- Per-workspace isolation at the application + DB level.
- All backend requests authorised through the workspace JWT.
- Audit log of every agent action (tool calls, field saves, confirms, exports) retained for 12 months.
Infrastructure
Overlook runs on commodity cloud with region selection (EU-West or US-East today). Databases are isolated per workspace tier; Enterprise customers get a dedicated database + KMS key.
Incident response
We commit to notifying affected customers of a verified security incident within 72 hours of confirmation, with a preliminary root cause within 7 days. Email security@overlook.ai.
Responsible disclosure
Found something? security@overlook.ai. We respond within 48 hours and credit researchers on the changelog if they wish.