Futforce legal documents

Data and Security Policy

Last Updated: [10/10/2025]

1. Our Commitment

Security and data privacy are foundational to our product.  We implement strong technical, organizational, and procedural controls inspired by leading frameworks (e.g. SOC‑2, ISO 27001, GDPR). We continuously evolve our practices to protect your data, your users, and your trust.

2. Infrastructure & Hosting

  • Cloud Providers & Data Centers: We use reputable cloud providers with high security standards.

  • Regional Options: Customers may choose data hosting in specific regions (e.g. EU, US) to meet data locality preferences.

  • Isolation & Redundancy: Our architecture uses isolation per client, redundancy, failover, and data backups to ensure availability and durability.

3. Encryption & Key Management

  • In Transit: All data exchanged between clients, users, and our servers is encrypted using TLS (or stronger).

  • At Rest: Stored data is encrypted (AES-256 or equivalent).

  • Key Controls: Encryption keys are managed via secure key management practices, with access limited to designated infrastructure components.

4. Access Controls & Identity

  • Role-Based Access: Access to data and administration features is governed by roles; minimal privilege is enforced.

  • Authentication: We support secure authentication methods, including strong passwords, optional multi-factor authentication (MFA), and integration with identity providers (SSO).

  • Brute Force Protection: To guard against unauthorized login attempts, we provide rate limiting or lockouts after repeated failed attempts (configurable).

  • Logging & Auditing: Access and actions by services, admins, and system components are logged for auditing and forensic review.

5. AI Agent & Automated Processing

  • Scoped Data Access: Fora (our AI agent) only accesses data explicitly permitted through integrations and configuration settings.

  • Action Logging & Traceability: All AI queries, actions, and responses are recorded in audit logs to support accountability and investigation.

  • Guardrails & Filtering: We enforce content filtering, boundary rules, and input/output checks to reduce risk of unintended data exposure.

  • No Unrestricted Model Training: We do not use full customer datasets for external model training without explicit consent and agreement.

6. Data Retention, Deletion, & Purging

  • Retention Periods: Data is retained according to organizational settings and internal policy.

  • Deletion Requests: Users may request deletion or anonymization of data, subject to administrator approval, to respect corporate data governance.

  • Anonymization: Once deletion is approved or retention expires, personally identifying information is stripped, leaving aggregated or anonymized data if needed for analytics.

  • Content vs Account Deletion: User‑generated content may remain (e.g. posts), but the ownership label is changed (e.g. “Deleted user”) so identity is not recoverable.

7. Security Procedures & Testing

  • Vulnerability Scanning & Penetration Tests: We regularly run internal vulnerability scans and external penetration tests to identify and remediate weaknesses.

  • Secure Development Lifecycle (SDLC): We follow secure coding practices, code reviews, static analysis, and threat modeling during development.

  • Incident Response: We maintain a documented incident response plan, including detection, containment, root cause analysis, and notification.

  • Backup & Recovery: Regular backups are performed, tested, and encrypted. Recovery procedures are validated to meet defined RTO/RPO goals.

8. Privacy, Compliance & Data Governance

  • GDPR & Data Protection: We align our practices with GDPR principles (e.g. data minimization, purpose limitation, user rights) and provide Data Processing Agreements (DPAs) when required.

  • Customer as Data Controller: In most product use‑cases, the client organization is the data controller; we act as processor under their direction.

  • Service Providers & Subprocessors: Any third parties (hosting, analytics, backups) are contractually bound to confidentiality, limited access, and security obligations.

  • Disclosures & Legal Obligations: We do not sell data. We may disclose data when required by law or court order, always striving to minimize exposure and notify clients as allowed.

9. Incident Notification & Transparency

  • We commit to notifying affected clients and, where legally required, regulatory authorities in the event of a data breach involving personal data.

  • Clients may be informed of incident details, mitigation steps, and our root cause analysis.

  • Logs, forensic records, and backup snapshots support investigation and future prevention.

10. Policy Updates & Communication

  • We may revise this Data & Security Policy as technologies, regulations, or best practices evolve.

  • The “Last Updated” date will reflect the current version.

  • Major security or privacy changes will be communicated proactively to clients or administrators.