Skip to main content

FrootAI — AmpliFAI your AI Ecosystem Get Started

Trust Center

Security, privacy & compliance — in the open

Everything you need to evaluate FrootAI for enterprise use: SOC 2, GDPR, data processing agreements, our security policy, and the full list of sub-processors. No sales call required.

Trust resources

SOC 2

SOC 2 Type I attestation in progress (Drata/Vanta-managed). Type II report shareable under NDA. Request the report or attestation letter.

Request SOC 2 report

GDPR & Privacy

Cookieless analytics, EU-hosted processing, data-subject rights, and lawful-basis mapping. Full privacy + data-protection disclosures.

Privacy & data protection

Data Processing Agreement

GDPR Article 28 DPA for B2B customers, plus an enterprise DPA with EU data-residency and Standard Contractual Clauses for international transfers.

Download the DPA

Security Policy

How every published artifact is signed (npm provenance, PyPI trusted publishing, cosign), where keys live, and how to verify a download.

Security & signing

Sub-processors

The complete list of third parties that process data on our behalf — Clerk, Stripe, Cloudflare, WorkOS, Plausible, Postmark — with regions + DPAs.

View sub-processor list

Audit & Access Controls

Tamper-evident hash-chained audit log, role-based admin access (RBAC), quarterly access reviews, and signed-webhook verification.

How we protect access

MCP Federation Trust Manifest

The single source of truth for which MCP publishers can attach to your router. 4 trust tiers (first-party-ms / verified-publisher / community / untrusted), 26 known publishers, 3-way byte-identical mirror (sha256 26565930b0c31852…), CI-enforced drift-protection. Drives the 21 federated areas and the 100-server marketplace.

See trust gate + manifest

Our commitments

Cookieless, EU-hosted analytics

We use Plausible (EU-hosted, no cookies, no cross-site tracking). Analytics is opt-in.

No enterprise promises without WorkOS

Enterprise SSO claims only ship with a working WorkOS connection — we never overstate our posture.

Signature-verified webhooks

Every inbound auth/billing webhook is cryptographically verified before any side effect.

Server-trust secrets

Roles, connection ids, and residency live in server-only metadata — never exposed to the browser.

Security & compliance contact

Have a security question, need a signed DPA, or want to report a vulnerability? Reach the FrootAI security team directly.