Legal

Security at Foyla.

Last updated: April 2026

This page describes how we protect customer data and AI deployments. Procurement and security teams can request our SOC 2 report, penetration test summary, and full subprocessor list at [email protected].

How we think about it

An AI employee has access to real systems and takes real actions. We design for the same assumption a security team would apply to a human operator: least privilege, complete audit, human review on anything new, and a fast path to contain a problem.

Infrastructure

Hosted on a major cloud provider in the US by default; EU region available on request.
Logical tenant isolation via separate compute, storage, and secret scopes per customer.
VPC or on-prem deployment available for regulated customers on request.

Data protection

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Customer secrets (API keys, credentials) stored in a dedicated secrets manager, scoped to the AI employee that needs them.
Production data is never copied to staging.

Access control

SSO and MFA on all internal systems.
Role-based access: engineers get just-in-time, auditable access to production when there's a ticket.
All production access is logged and reviewed.

The AI employee itself

Every production action is written to an immutable audit log you can query.
Human reviewer queue on any new workflow or escalation — nothing irreversible happens without a signal.
Rollback is a first-class operation, not an afterthought.
Your operational data is not used to train foundation models.

Vulnerability management

Automated dependency scanning on our build pipeline; known vulnerabilities are triaged and remediated on defined internal timelines.
Responsible disclosure — report a vulnerability to [email protected] with "Security" in the subject line, and we'll acknowledge within one business day.

Business continuity

Automated backups of customer data using our cloud provider's managed services.
Documented incident-response process with defined severity levels, escalation, and customer communication paths.

Security roadmap

We're an early-stage company and say so plainly. The following controls are on our near-term roadmap rather than already certified. We'll update this page as they ship.

SOC 2 Type II: target audit period starting H2 2026.
ISO 27001: scoping in parallel with SOC 2.
Third-party penetration test: planned for H2 2026, prior to SOC 2 observation period close.
Cross-region backup and documented restore drills: planned alongside our first enterprise deployment.
Public subprocessor list and change-notification subscription.

If any of these are a gating requirement for you, let us know — we can often commit to a timeline contractually.

Compliance

US state privacy laws (CCPA/CPRA, Colorado, Connecticut, Virginia, Utah) and GDPR/UK GDPR are addressed in our Privacy Policy and DPA. SOC 2 and ISO are on the roadmap above.

Contact

Security questions and vulnerability reports: [email protected]