Encryption

How Future AGI encrypts your data at rest and in transit across all services.

Encryption in Transit

All communication between your applications and Future AGI services is encrypted using TLS 1.2 or higher. This applies to every endpoint across the platform, including SDK telemetry ingestion, dashboard access, API calls, and webhook deliveries.

We enforce HTTPS-only connections and implement HSTS (HTTP Strict Transport Security) headers to prevent protocol downgrade attacks. Internal service-to-service communication within our infrastructure is also encrypted using mutual TLS (mTLS).

Encryption at Rest

All customer data stored within Future AGI is encrypted at rest using AES-256 encryption, the industry standard for data protection.

Encryption by Storage Layer

Storage LayerPurposeEncryption Method
PostgreSQLAccount data, project configuration, evaluation definitions, annotation metadataAES-256 via AWS RDS encryption
ClickHouseTrace spans, evaluation results, guardrail decisions, session analyticsAES-256 encrypted EBS volumes
S3 / Blob StorageDataset files, exported reports, simulation artifacts, uploaded documentsAES-256 via AWS S3 SSE
Redis CacheSession tokens, rate limiting counters, real-time dashboard stateAES-256 via AWS ElastiCache encryption

Key Management

Encryption keys are managed through AWS Key Management Service (KMS). All keys are:

  • AWS-managed with automatic annual rotation
  • Stored in FIPS 140-2 validated hardware security modules (HSMs)
  • Subject to strict IAM policies that limit access to authorized services only
  • Auditable through AWS CloudTrail for all key usage events

Customer data encryption keys are never stored alongside the data they protect. Access to KMS operations is restricted to production service roles and requires multi-party authorization for any administrative changes.

Additional Protections

  • Database backups are encrypted using the same AES-256 standard as the source data
  • Log data containing potentially sensitive information is encrypted at rest and access-controlled
  • API keys and secrets are hashed using bcrypt before storage and are never stored in plaintext

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →