GDPR isn't optional for European founders sharing data with European investors. A data room that sits on US-only infrastructure, with no signed DPA and no audit trail, is a regulatory exposure your counsel will flag the moment they look at it.
CAPLINK is GDPR-aligned by default. All data is hosted in EU regions. Sub-processors are listed in the DPA you can sign on request. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Every read and write is policy-checked at the database layer via row-level security — not just the API.
The NDA consent log gives you the evidence trail. Every investor who accesses the room first accepts your confidentiality terms; the signed version, IP, timestamp and signer identity are stored together. That's the same evidence you'd need under GDPR's accountability principle if anyone asks how a specific person's data was handled.
The audit trail is tamper-evident: every view, download, share, revoke and Q&A action is recorded with the actor and context. You can export it for your DPO, your legal counsel, or — if you ever need to — for a regulator.
European fundraising deserves European infrastructure. CAPLINK is built for it.