Security, privacy & compliance — in the open
Everything you need to evaluate FrootAI for enterprise use: SOC 2, GDPR, data processing agreements, our security policy, and the full list of sub-processors. No sales call required.
Trust resources
SOC 2
SOC 2 Type I attestation in progress (Drata/Vanta-managed). Type II report shareable under NDA. Request the report or attestation letter.
Request SOC 2 reportGDPR & Privacy
Cookieless analytics, EU-hosted processing, data-subject rights, and lawful-basis mapping. Full privacy + data-protection disclosures.
Privacy & data protectionData Processing Agreement
GDPR Article 28 DPA for B2B customers, plus an enterprise DPA with EU data-residency and Standard Contractual Clauses for international transfers.
Download the DPASecurity Policy
How every published artifact is signed (npm provenance, PyPI trusted publishing, cosign), where keys live, and how to verify a download.
Security & signingSub-processors
The complete list of third parties that process data on our behalf — Clerk, Stripe, Cloudflare, WorkOS, Plausible, Postmark — with regions + DPAs.
View sub-processor listAudit & Access Controls
Tamper-evident hash-chained audit log, role-based admin access (RBAC), quarterly access reviews, and signed-webhook verification.
How we protect accessMCP Federation Trust Manifest
The single source of truth for which MCP publishers can attach to your router. 4 trust tiers (first-party-ms / verified-publisher / community / untrusted), 26 known publishers, 3-way byte-identical mirror (sha256 26565930b0c31852…), CI-enforced drift-protection. Drives the 21 federated areas and the 100-server marketplace.
See trust gate + manifestOur commitments
Cookieless, EU-hosted analytics
We use Plausible (EU-hosted, no cookies, no cross-site tracking). Analytics is opt-in.
No enterprise promises without WorkOS
Enterprise SSO claims only ship with a working WorkOS connection — we never overstate our posture.
Signature-verified webhooks
Every inbound auth/billing webhook is cryptographically verified before any side effect.
Server-trust secrets
Roles, connection ids, and residency live in server-only metadata — never exposed to the browser.
Security & compliance contact
Have a security question, need a signed DPA, or want to report a vulnerability? Reach the FrootAI security team directly.