Security Practices
Table of Contents
Security Is Not Optional
We process our customers’ AI agent data - inputs, outputs, evaluation results, and traces. This is sensitive data. We treat security as a core product requirement, not a compliance checkbox.
Principles
1. Least Privilege Everywhere
Every system, service, and person has the minimum access needed to do their job. No shared credentials, no admin-by-default, no “we’ll tighten this later.”
2. Encrypt Everything
- In transit - TLS 1.3 for all connections, no exceptions
- At rest - AES-256 encryption for all stored data
- API keys - hashed, never stored in plain text
- Secrets - managed through AWS Secrets Manager, never in code or config files
3. Audit Everything
Every data access, API call, and admin action is logged. Logs are immutable, retained for 1 year, and monitored for anomalies.
4. Assume Breach
We design systems assuming an attacker is already inside. This means:
- Services can’t access other services’ data without explicit authorization
- Internal APIs require authentication (no “trusted network” assumptions)
- Database access is limited to specific services, not broad team access
- Credentials rotate automatically
Infrastructure Security
| Layer | Implementation |
|---|---|
| Network | VPC isolation, private subnets, no public database endpoints |
| Compute | Container isolation (ECS), read-only file systems, no SSH access |
| Data | Encrypted at rest and in transit, automated backups, point-in-time recovery |
| Access | SSO with MFA required, role-based access control, JIT access for production |
| Monitoring | Real-time alerting on suspicious activity, automated vulnerability scanning |
Application Security
Code Security
- Dependency scanning - automated (Dependabot + Snyk) on every PR
- Static analysis - linting and SAST tools in CI
- Secrets detection - pre-commit hooks prevent accidental credential commits
- Code review - all changes reviewed by at least one other engineer
API Security
- Rate limiting on all endpoints
- Input validation and sanitization
- CORS policy restricted to known origins
- API keys scoped to specific permissions
Authentication
- SSO (Google, GitHub, SAML) for all customers
- MFA enforced for all internal accounts
- Session tokens expire after 24 hours of inactivity
- API keys can be scoped, rotated, and revoked instantly
Incident Response
When a security incident occurs:
- Detect - automated monitoring alerts the on-call engineer
- Contain - isolate affected systems immediately
- Investigate - determine scope, root cause, and impact
- Remediate - fix the vulnerability and verify the fix
- Communicate - notify affected customers within 72 hours (sooner for high severity)
- Review - post-incident review within 5 business days, published internally
Responsible Disclosure
We run a responsible disclosure program. Security researchers can report vulnerabilities to security@futureagi.com. We respond within 48 hours and don’t pursue legal action against good-faith researchers.
Compliance
We maintain SOC 2 Type II compliance and are pursuing ISO 27001 certification. Compliance reports are available to enterprise customers under NDA.