Security FAQ

Application Security

What encryption standards does Future AGI use?

All data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted using AES-256 across all storage layers, including databases, object storage, caches, and backups.

How are encryption keys managed?

Encryption keys are managed through AWS Key Management Service (KMS) and stored in FIPS 140-2 validated hardware security modules (HSMs). Keys are automatically rotated annually and are never stored alongside the data they protect.

Identity and Access Management

Does Future AGI support SSO?

Yes. We support SAML 2.0 and OpenID Connect (OIDC) single sign-on for Scale and Enterprise customers, with integrations for Okta, Azure AD, Google Workspace, and other identity providers.

Is MFA available?

Yes. Multi-factor authentication is available for all accounts and is enforced by default for organization administrators. TOTP-based authenticator apps and hardware security keys (WebAuthn/FIDO2) are supported.

How are session tokens handled?

Session tokens are cryptographically signed, short-lived, and stored securely. Tokens are rotated on privilege changes and invalidated on logout. Idle sessions expire after a configurable timeout (default: 30 minutes).

Infrastructure

Where is Future AGI hosted?

Future AGI runs on Amazon Web Services (AWS) in the US East (us-east-1) region, with additional regions available for Enterprise customers. All infrastructure is deployed within isolated VPCs with private subnets for data-plane services.

What network protections are in place?

We deploy AWS WAF for web application firewall protection, AWS Shield for DDoS mitigation, and network ACLs with least-privilege security group rules. All administrative access requires VPN and multi-factor authentication.

How is infrastructure monitored?

We use centralized logging (CloudWatch, CloudTrail), real-time alerting on anomalous activity, and 24/7 on-call engineering coverage. Security events are correlated and analyzed continuously.

Secure Development Lifecycle (SDLC)

What does the code review process look like?

Every code change requires at least one peer review and approval before merge. Security-sensitive changes require review from a member of the security team. All repositories enforce branch protection rules.

What automated security testing is in place?

• SAST: GitHub CodeQL runs on every pull request
• Dependency scanning: Snyk monitors all dependencies for known CVEs
• Infrastructure as Code scanning: Terraform and CloudFormation templates are validated against security policies before deployment

Incident Response and Business Continuity

What are the RPO and RTO targets?

Metric	Target
Recovery Point Objective (RPO)	1 hour
Recovery Time Objective (RTO)	4 hours

What is the backup strategy?

Databases are backed up continuously with point-in-time recovery. Backups are encrypted, stored in a separate AWS region, and tested quarterly to verify restoration procedures.

AI and LLM Data Handling

Does Future AGI train models on customer data?

No. Customer data — including traces, evaluations, and datasets — is never used to train, fine-tune, or improve any machine learning models. This commitment applies to both our proprietary models and any third-party LLMs used in the platform.

How does the BYOK (Bring Your Own Key) data flow work?

When you use your own API keys for LLM providers, requests are proxied through Future AGI’s infrastructure for observability purposes only. Your API keys are encrypted at rest and in transit, and the LLM provider’s response data is processed according to your configured retention and privacy settings.

How does the Turing model handle data?

Future AGI’s Turing evaluation models process customer data solely for the purpose of generating evaluation results. Input data is not persisted beyond the evaluation lifecycle, is not used for model training, and is subject to the same encryption and access controls as all other customer data.