Trust Center

Security & Compliance

Factory Labs is built on enterprise-grade infrastructure with security at every layer. Your data is isolated, encrypted, and protected by the same standards trusted by Fortune 500 companies.

AES-256 EncryptionTLS 1.3SOC 2 Type II infrastructure providersSchema-per-Tenant IsolationRBACAudit LoggingTaiwan PDPA

Encryption Everywhere

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • Encrypted credential storage for integrations
  • Secure session tokens with automatic rotation

Tenant Data Isolation

  • Schema-per-tenant architecture: each org's data lives in its own isolated database schema
  • No cross-tenant data leakage by design
  • Row-level and schema-level access controls
  • Independent data lifecycle per tenant

Authentication & Access

  • Passwordless sign-in via passkeys (WebAuthn / FIDO2)
  • SSO with Microsoft Entra ID, Google Workspace
  • SAML 2.0 and SCIM provisioning (Enterprise)
  • Role-based access control (RBAC) with four levels
  • Multi-factor authentication (TOTP) for admin panel

Audit & Accountability

  • Immutable audit log for all data changes
  • User action trails with IP address and timestamp
  • Admin impersonation logging with time-limited sessions
  • API access logging and key rotation

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Database on Neon Serverless Postgres (SOC 2 Type II certified)
  • AWS us-east-1 region with multi-AZ redundancy
  • Automatic backups with point-in-time recovery
  • DDoS protection and edge CDN via Vercel

Privacy & Data Handling

  • Personal email domains blocked at registration
  • Business email validation at sign-in
  • No training on customer data
  • GDPR-ready data subject request handling
  • Data deletion on account closure

Security Practices

How we build, deploy, and operate

Dependency Scanning

Automated vulnerability scanning on every deployment. Critical CVEs addressed within 24 hours.

Secrets Management

All credentials, API keys and tokens stored in encrypted environment vaults, never in source code.

Secure Development

Input validation, parameterized queries (Drizzle ORM), CSRF protection, and Content Security Policy headers.

Access Reviews

Least-privilege access for all internal systems. Production database access restricted and audited.

Vendor Due Diligence

All subprocessors evaluated for security posture. Infrastructure providers maintain SOC 2 Type II attestations.

Incident Response

Documented incident response plan with defined escalation paths. Customer notification within 72 hours of confirmed breach.

Public attestations

Self-serve, no-NDA documents that procurement teams use to short-circuit a bespoke security review.

RFC 9116 · safe harbor

Vulnerability Disclosure Policy

Scope, rules of engagement, 7-day critical fix SLA, and the safe-harbor clause for security researchers.

OWASP ASVS v4.0.3 L1

Application Security Verification Standard

50+ Level 1 controls across 14 chapters, each mapped to source code or runbook evidence an auditor can verify.

CSA CAIQ-Lite v4

Cloud Security Alliance Questionnaire

73 questions across 17 CCM domains: the industry-standard short-form procurement questionnaire, answered with linked evidence.

Questions about our security posture?

We're happy to walk through our architecture, answer questionnaires, or discuss compliance requirements for your organization.

Open the Trust Center →Contact Security Teamsecurity@factorylabs.ai

The Trust Center exposes the full SOC 2 controls catalog, sub-processor inventory, identity & MFA attestations, and a gated evidence pack (pentest report, runbooks, sub-processor DPAs) available under NDA.

Last updated: June 2026. Review our Privacy Policy and Terms of Service.