Trust Center

GP Capital operates a wholesale capital platform serving sophisticated counterparties (lenders, family offices, sponsors, intermediaries). Platform access is permissioned, NDA-gated, and role-based. Public-facing material on this site is intentionally limited — operational and counterparty information lives behind authenticated access only.

• Email + password authentication with bcrypt-hashed credentials (work factor ≥ 12).
• Two-factor authentication (TOTP) available; required for internal users and operations roles.
• Trusted-device sessions with explicit revocation; lockout after consecutive failed attempts.
• Passwordless / passkey login: roadmap item, not yet generally available.
• Role-based access control with strict internal / external boundaries; lender-to-lender data isolation enforced at every endpoint.
• Audit logging for authentication, permission changes, and administrative actions.

Every counterparty user has exactly one role at a time (borrower, lender, family office, broker, internal team, admin, super-admin). Each deal-room access grant is a separate record with its own NDA / agreement status, visibility scope, and revocation timestamp. External users only ever see their own participation — never another lender's identity, response, mandate detail, or matching score.

• Application is hosted on managed cloud infrastructure with hardened images and least-privilege service identities.
• All public traffic is served over TLS 1.2+ with HSTS.
• Internal traffic between application and database tiers is private and authenticated.
• We do not disclose specific vendor names, regions, or topology publicly. Diligence reviewers can receive this under NDA.
• Production secrets are managed outside of source control and rotated on personnel changes.

• Counterparty and deal data are stored in a managed document database with access controlled per service identity.
• Documents and uploads are stored in a managed object store with server-side encryption at rest.
• In transit, data is protected by TLS 1.2+ on every public hop and by authenticated channels internally.
• Customer-managed encryption keys (CMEK / BYOK) are not currently offered. This is on the roadmap for enterprise tier.

• Production databases are backed up daily with point-in-time recovery enabled.
• Backups are encrypted at rest and retained for a rolling window.
• Recovery is exercised periodically as part of internal operations review.
• We do not publish a contractual RTO / RPO publicly. Specific recovery objectives can be agreed bilaterally with institutional counterparties.

• Counterparty and deal data are retained while the relationship is active and for a defined period thereafter, consistent with our legal and regulatory obligations.
• Authenticated users can request deletion of personal data through the portal. Some records (audit logs, regulatory filings) are retained for the statutory minimum period.
• Document deletion respects participant agreement and audit-trail requirements — deleted material is removed from active surfaces but a tamper-evident audit reference is retained.
• Detailed retention schedules are available to counterparties under NDA on request.

Deal content, counterparty identities, and participant responses are confidential by default. Platform access is gated by an NDA / platform agreement. We process personal data in line with the Privacy Policy and operate under the Terms of Service, Platform Terms, and Disclosures.

A Data Processing Addendum (DPA) is available on request for institutional counterparties whose internal policy requires one.

• Operational incidents are tracked in an internal incident register with severity, owner, and timeline.
• Material incidents that affect a counterparty are communicated directly to the affected party as soon as facts are established — not via public channels.
• Lessons-learned reviews follow material incidents and feed roadmap-level remediation.
• We do not currently maintain a public status page. This is on the roadmap.

Security researchers and counterparties who identify a potential vulnerability are encouraged to report it via the Security & Responsible Disclosure page or directly to the contact listed in our security.txt file. We aim to acknowledge reports within two business days.

For all other procurement / compliance enquiries, please contact info@gp-cap.com with your reviewer details and we will route to the right team.

• Privacy Policy
• Terms of Service
• Platform Terms
• Disclosures
• Security & Responsible Disclosure
• security.txt

The following PDFs are generated from the same factual content as this page and are safe to share with procurement / compliance reviewers.

• Trust Center overview (PDF)One-page summary of this page
• DPA Request Form (PDF)Form to request the executed DPA template — this is not the DPA itself

Plainly: the DPA Request Form is a form, not an executed DPA. The executed institutional DPA is reviewed and signed on a per-counterparty basis under NDA. Request via the form or by emailing the contact above.