Security & Trust

Enterprise-ready from day one. Your data is isolated, encrypted, and never used to train AI models.

Row-level security on 210+ tables
Invite-only access
No AI model training
Bank-grade encryption at rest
Encrypted data in transit
SOC 2 in progress

Architecture

Multi-tenant, org-scoped data isolation

Every piece of data in FuturePro is bound to an organization ID. Row-level security (RLS) is enforced at the database level on all 210+ tables — it is architecturally impossible for one org to read another org's data.

Invite-only access model

There is no open registration. Every user account is created by an org admin via explicit invitation. Uninvited signups are automatically locked out at the middleware layer.

24-hour JWT session timeout

Authentication tokens expire after 24 hours and require re-login. This limits the blast radius of any credential compromise.

Data Handling

Data storage and encryption

All data is hosted on Supabase (AWS infrastructure). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We do not self-host database infrastructure.

Data retention

Customer data is retained for the duration of the subscription and for 90 days after termination, then permanently deleted upon request. You can request full data export at any time.

AI Data Practices

What data is sent to AI providers

AI generation requests send your input content (project context, documents, form data) to Anthropic's API (Claude) for processing. Voice transcription uses OpenAI Whisper. No other AI providers receive your data.

No model training on your data

AI-generated content and your input data are never used to train Anthropic or OpenAI models. Our API agreements with both providers explicitly prohibit training use. Your data is processed and discarded.

Data not retained by AI providers

Anthropic and OpenAI do not retain data sent via API beyond the processing window. This is distinct from consumer products (ChatGPT) which do retain data for training.

Access Controls

Role-based access

Every org member has an explicit role: Owner, Admin, Member, or Viewer. Role determines what data can be read, created, edited, and deleted. Project-level access controls layer on top of org-level roles.

SSO (Enterprise)

SAML-based Single Sign-On (an industry-standard protocol for connecting to your company's existing login system) is available on Enterprise plans. This enables centralized identity management and automatic deprovisioning when employees leave.

Compliance Roadmap

SOC 2 Type II (in progress)

We are currently pursuing SOC 2 Type II certification, an independent audit of our security controls required by many enterprise customers. Prospects can request our current security posture documentation and audit timeline.

GDPR-ready architecture

Data processing agreements (DPAs) are available for enterprise customers subject to GDPR, Europe's data privacy law. Our architecture supports right-to-deletion requests, data portability, and sub-processor disclosure.

CCPA compliance

California consumers have the right to access, delete, and opt out of the sale of personal data under CCPA. We honor all such requests.

Responsible Disclosure

If you discover a security vulnerability in FuturePro, we ask that you report it to us responsibly before public disclosure. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

Please send security reports to: security@wgp-ai.com

Enterprise security questions?

We can provide a detailed security questionnaire, DPA, and sub-processor list on request.

Contact Us