SECURITY & TRUST
Process Intelligence Simplified. Make the Unseen, Seen.
Our Six Security Commitments
No training on your data
Your private data is never used to train or update our models
Private data stays private
Stored in siloed environments, isolated from other customer data
Full data visibility
Control access and usage with full insight into your operations
Zero-trust architecture
Least privilege and strong authentication across every layer
Encrypted everywhere
AES-256 at rest and TLS 1.2+ in transit, without exception
Audited & tested
Regular third-party audits and vulnerability testing
Key Security Features of FUTUROOT
AI & Model Safety
CORE COMMITMENT
We never train on your data
FUTUROOT uses AI and language models to surface process intelligence. Your event logs, process models, and analytical outputs are never used to train, fine-tune, or update any model — ours or third-party. Your data works for you, not for us.
Model inference boundary
When AI features process your data, inference happens within a scoped, tenant-isolated context. No data is retained by model providers beyond a single request. Prompts and completions are not logged externally.
Explainability by design
Every AI-generated insight — root cause analyses, anomaly flags, what-if simulations — includes an evidence trail traceable to your own event data. You are never asked to trust a black box.
Data Protection & Isolation
Multi-tenant data isolation
Each customer’s data is stored in a siloed environment — logically separated at the database server and application level. No cross-tenant queries are possible by design.
Encryption at rest and in transit
All data is encrypted at rest using AES-256. Every API call and browser session is secured over TLS 1.2 or higher.
Minimal data footprint
FUTUROOT ingests structured event logs, no raw transactional records or PII. You decide what data enters the platform. Fields not required for process analysis are never stored.
Data residency options
Deployments can be configured to keep all data within a specified geographic region. Private cloud deployment is available for strict residency requirements.
CLARITY ON ROLES
You are the data controller. We are the data processor.
FUTUROOT acts solely as a data processor on your behalf. We process your data only as you instruct us to, for the purposes you define. You retain full ownership and control at all times.
Right to erasure & data portability
Deletion requests are processed end-to-end — data is removed from primary storage, backups, and all derived outputs within defined SLAs.
Sub-processor transparency
We maintain a current list of sub-processors that may handle customer data. Customers are notified of any changes before they take effect.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud provider | Hosting & storage | EU / configurable |
| LLM inference API | AI feature processing | No data retained |
| Monitoring tooling | Uptime & error tracking | EU |
EU AI Act Alignment
OUR POSITION
Process intelligence as advisory, not autonomous decision-making
FUTUROOT is designed as a decision-support tool — it surfaces insights, highlights anomalies, and recommends actions, but does not make or enforce decisions autonomously. Human oversight is built into every workflow. This positions FUTUROOT’s AI features in the limited risk tier under the EU AI Act, with transparency obligations we are committed to meeting.
Human oversight by design
Every AI-generated recommendation — root cause analysis, anomaly flag, or simulation outcome — is presented as evidence for a human decision-maker to act on. No automated action is taken without explicit user approval.
Transparency & explainability
In line with EU AI Act transparency requirements, FUTUROOT clearly identifies when AI is generating a recommendation. All AI outputs include the underlying evidence, confidence indicators, and caveats.
No high-risk automated decisions
FUTUROOT does not make automated decisions with legal or similarly significant effects on individuals. FUTUROOT informs those decisions — it does not make them.
Ongoing regulatory monitoring
The EU AI Act is being phased in through 2026–2027. FUTUROOT actively monitors regulatory guidance and will update our compliance posture as obligations are clarified.
Identity, Access & Zero-Trust
Zero-trust architecture
FUTUROOT applies zero-trust principles across every layer. No implicit trust is granted based on network location or prior authentication. Every request is verified, every access is scoped, and every action is logged.
Least-privilege access control (RBAC)
User permissions follow a least-privilege model each with minimum access needed. Admins can create custom roles mapped to your org structure.
SSO and MFA
Integrates with enterprise identity providers including Azure AD, Okta, and Google Workspace. MFA can be enforced at the organisation level for all users.
API key governance
Integration API keys are scoped to specific datasets and operations. Keys can be rotated or revoked at any time without downtime. All API usage is logged with full request metadata.
Audit, Visibility & Observability
Full data visibility for admins
Workspace admins have a dedicated audit dashboard showing user activity, data access events, report exports, and configuration changes — complete operational insight into how your data is used.
Immutable audit logs
Every user action is recorded in an append-only audit log capturing actor, timestamp and action detail. Retained for a minimum of 12 months.
Session management
Sessions are time-bound with configurable idle timeouts. Admins can remotely invalidate all active sessions for any user — critical during off-boarding or security incidents.
Business continuity
Automated daily backups with point-in-time recovery. Backup integrity verified through restore testing. Disaster recovery runbooks maintained and tested quarterly.
Infrastructure & Vulnerability Management
Third-party audits & pen testing
FUTUROOT undergoes regular security audits and penetration tests by independent third-party specialists.
Continuous vulnerability scanning
Dependencies are scanned continuously for known CVEs. Container images are rebuilt on every release with updated base layers. Infrastructure is managed as code with automated drift detection.
Network security
All services run inside private virtual networks with firewalls on public endpoints. Internal service-to-service communication is authenticated.
Cloud infrastructure
Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II and ISO 27001 certified providers. Physical security and environmental controls managed at the provider level.
Compliance & Certifications
SOC 2 Type II
Security, availability, and confidentiality trust service criteria
ISO 27001
Information security management system standard
Incident Management
FUTUROOT maintains a formal Incident Response Program designed to detect, contain, and recover from security events with minimal disruption to your operations.
If a breach involves your data, we will:
- Notify customers promptly and without undue delay following confirmation of an incident, with specific timelines governed by contractual agreements
- Provide a structured incident report containing what we know about the nature of the breach, the categories and approximate volume of data involved, the likely consequences, and the measures we have taken or propose to take