top of page

The Technical Architecture of a Zero-Trust Deal Room

  • Writer: Bryan Singleton
    Bryan Singleton
  • Feb 3
  • 2 min read

High-Performance Deal Execution with Data Sovereignty


Executive Summary


FlowGuide is engineered on the principle of Data Minimalism. Unlike legacy Digital Sales Rooms (DSRs) that require the ingestion and storage of sensitive documents, FlowGuide acts as a professional, encrypted presentation layer for Google Workspace. This enables FlowGuide to function as a Zero-Trust Deal Room. This document outlines the technical safeguards, authentication protocols, and architectural silos that protect user and buyer data.


1. Authentication & Identity Management


FlowGuide utilizes Identity-First Authentication to eliminate the risk of credential theft.


  • OAuth 2.0 Integration: We never see, handle, or store user passwords. Authentication is handled exclusively through Google and Microsoft identity providers.


  • Token-Based Authorization: FlowGuide uses short-lived access tokens to interface with Google Workspace APIs, ensuring that permissions are temporary and specific.


  • Scopes: We request the "Minimum Viable Permissions" necessary to display your files, ensuring we cannot access anything beyond the specific assets you choose to include in a Flow.


2. Data Sovereignty & "The Window" Principle


FlowGuide does not "own" your content; it provides a secure window into it.


  • Source Truth: Your proposals, ROI sheets, and slides remain in your Google Drive.

  • Dynamic Access Control: If you revoke access to a file in Google Drive, it is instantly inaccessible in FlowGuide. We do not cache or replicate your sensitive files on our servers.

  • Metadata Only: FlowGuide stores only the metadata required to structure the Deal Room (e.g., file names and portal layouts). The actual "meat" of the deal stays in your encrypted Google environment.


3. Zero-Trust Deal Room Tenant Isolation


FlowGuide is hosted on Google Cloud Platform (GCP), inheriting the same security posture used by global financial institutions.


  • Isolated Tenant Architecture: Every customer environment is logically siloed. There is zero cross-contamination of data between different user accounts.


  • Encryption at Rest and in Transit: All data moving between FlowGuide, the user, and the buyer is encrypted via TLS 1.2+. Data at rest in our database is protected by AES-256 encryption.

  • Zero-Harvesting: Our database is architected to avoid the collection of PII (Personally Identifiable Information). We utilize anonymized IDs for tracking engagement, preserving the privacy of the buying committee.

4. Data Retention & Permanent Deletion

We honor the right to be forgotten.

  • Instant Wiping: When a user deletes a Flow or an account, all associated metadata and configuration files are purged from our live databases instantly.

  • No Ghost Copies: We do not maintain "shadow copies" or long-term archival backups of customer-deleted content. Once it is gone, it is irretrievable.

bottom of page