Trust and Security

Buyer-facing security details,
without fake enterprise theater.

This page summarizes how FoundryOps handles customer data, production access, AI usage, security operations, and buyer security requests today. It is meant to be practical, current, and specific.

Contact for security reviewRead the privacy-first AI overview

Security posture snapshot

These are the controls we expect buyers and security reviewers to care about first.

Least-Privilege Access

Production services run with dedicated service identities and scoped access instead of a shared broad-permission runtime.

Secrets and Credentials

Production secrets are stored in managed secret systems. Direct plaintext configuration has been reduced in favor of secret-backed runtime access.

Managed Infrastructure

Core application services run on managed cloud infrastructure with encrypted transport and managed data services.

Monitoring and Alerts

We monitor service health and security-sensitive control-plane changes, including IAM, secret, and database configuration events.

How we handle customer data

What we do

  • Process customer data to provide the product features and integrations you enable.
  • Encrypt data in transit and rely on managed platform protections for data at rest.
  • Restrict production access to explicit support or operational needs, with logging and review.
  • Support export and deletion requests for primary customer data.
  • Retain limited operational, security, billing, and audit records when needed to run the service, investigate abuse, comply with law, or resolve disputes.

What we do not do

  • We do not sell customer data.
  • We do not train our own models on customer records.
  • We do not use one customer's data to improve another customer's results.
  • We do not route production customer data through public consumer AI tools for convenience.
  • We do not claim certifications or audits we have not completed.

AI and service providers

FoundryOps uses managed infrastructure and selected service providers to operate the platform. Key providers currently used across the product and website include:

  • Google Cloud for core application infrastructure and managed data services
  • Google Vertex AI for model inference under enterprise data protection terms
  • Clerk for authentication and identity flows
  • Stripe for billing and subscription payments
  • Resend for transactional email delivery

Need a current provider list, DPA discussion, or questionnaire response for an active evaluation? Contact us and we will route it directly.

Current assurance posture

  • Core product security controls are live in production and continue to be hardened.
  • We are preparing an independent external penetration test for the production environment.
  • After remediation and retesting, we plan to publish a shareable summary of the engagement here.
  • We do not currently advertise SOC 2 or ISO certifications.

Security contact

For a DPA request, security questionnaire, architecture review, incident-related question, or vulnerability report, email:

[email protected]

Please include your company name, use case, and the materials you need so we can respond efficiently.

If you believe you have found a security vulnerability, please report it to [email protected]. We aim to acknowledge credible reports within 48 hours.