Policies
Overview of internal security and compliance policies underlying our program.
Policy Framework
Future AGI maintains a comprehensive set of internal security and compliance policies that form the foundation of our information security program. These policies are aligned with the requirements of SOC 2 Type II, ISO 27001, and industry best practices.
Internal Policies
The following policies govern how we protect customer data, manage risk, and operate securely:
| Policy | Purpose |
|---|---|
| Acceptable Use | Defines permitted and prohibited use of company systems and resources |
| Asset Management | Governs identification, classification, and lifecycle management of information assets |
| Backup | Establishes backup frequency, retention, encryption, and restoration testing requirements |
| Business Continuity | Ensures critical business functions can continue during and after a disruption |
| Change Management | Controls how changes to production systems are proposed, reviewed, approved, and deployed |
| Code of Conduct | Sets expectations for professional behavior, ethics, and integrity |
| Data Classification | Defines sensitivity levels and handling requirements for different categories of data |
| Data Protection | Governs the collection, processing, storage, and disposal of personal and customer data |
| Data Retention | Specifies retention periods and secure deletion procedures for all data types |
| Disaster Recovery | Documents recovery procedures, RPO/RTO targets, and failover architecture |
| Encryption | Mandates encryption standards for data in transit and at rest |
| Incident Response | Defines procedures for detecting, responding to, and recovering from security incidents |
| Information Security | Establishes the overarching information security program, roles, and responsibilities |
| Password | Sets requirements for password complexity, rotation, and secure storage |
| Physical Security | Addresses physical access controls for office locations and any on-premises equipment |
| Responsible Disclosure | Provides a channel for external researchers to report security vulnerabilities |
| Risk Assessment | Defines the methodology for identifying, evaluating, and treating information security risks |
| Secure Development Lifecycle (SDLC) | Integrates security into every phase of software development |
| System Access Control | Governs provisioning, review, and revocation of access to systems and data |
| Vendor Management | Establishes security requirements for evaluating and managing third-party vendors |
| Vulnerability Management | Defines processes for identifying, triaging, and remediating vulnerabilities |
Governance
- All policies are reviewed and approved annually by the security team and executive leadership
- Policy updates are tracked through version control with documented change history
- Employees acknowledge and attest to applicable policies during onboarding and annually thereafter
- Policy compliance is verified through internal audits and continuous monitoring
Availability
Copies of individual policies are available to customers and prospective customers on request under a non-disclosure agreement (NDA). Contact sales@futureagi.com for access.