Security, built in.
Not bolted on.
Fibric is the operational layer between a base model and the real world, so security is structural, not a setting. Your systems and your data are walled off at the layer that enforces it, every action is vetted and reversible, and nothing acts on the world without a record you can read.
Walled off at the layer that matters.
Isolation that lives in the data layer cannot be forgotten in application code. That is where we put it.
Tenant isolation
A reseller and tenant id ride every envelope and every row. Isolation is enforced at the data layer with row-level security, so one customer can never read another. It is a property of the schema, not a habit of the code.
Encrypted end to end
Data is encrypted in transit with TLS and at rest. Connector credentials and secrets live in a managed secrets store, scoped to a tenant, and never appear in code, logs, or receipts.
Real data, least data
An operator reads only what a capability needs. Real data only is a rule, not a hope: a placeholder can never stand in for a governed value, and is tagged the moment it appears.
Every action has a name on it.
People and operators get the least access they need to do the job, and every read and every action is attributable.
Authentication
Sign-in runs on a managed identity provider. Single sign-on and SAML are available on Business and above, so access follows your directory and leaves with it.
Least privilege
Capability points to a connector through indirection. An operator holds a scoped grant for exactly the systems it runs, and nothing more.
Attributable by default
Every action writes who, what, when, and why into a reversible record. The kernel is the system of record, so an audit is a query, not an archaeology project.
Safe to let near the real world.
The platform is built to act on physical systems, so the failure modes are taken seriously. Trust fails closed, not open.
It stops rather than guess
If an operator cannot prove an action is safe and in policy, it does nothing and says so. The default is inaction, never a hopeful command.
Single-flight and idempotent
Replays, retries, and races resolve to one effect. Single-flight per entity means a flood of events can never turn into a flood of actions.
Reviewed, scanned, watched
Changes are reviewed before they ship. Dependencies are tracked and patched, and the running system is monitored, with receipts to reconstruct what happened.
Stated plainly, including what is still in progress.
We would rather tell you where we are than imply a badge we have not earned.
SOC 2
A Type II program is underway. We will share the report under NDA once it is available, and our control set is built toward it now.
In progressGDPR and the DPA
We process customer data as a processor under a data processing agreement. Read the DPA.
AvailableSubprocessors
The current list of subprocessors and what each one does is published and kept current. See the list.
PublishedData residency
Where your data runs, and the regions available, are set out on the availability page. View availability.
US firstExport and deletion
You can export your data, and request deletion. Tenant data is removed on request within a defined window, receipts included.
On requestFound something? Tell us.
We welcome reports from security researchers and treat them with priority. Tell us in good faith and we will work the issue and keep you posted. Read the rules of engagement before you start.
Use this for vulnerability reports and security questions. For governance and AI transparency, see the trust page. For account help, contact support.
Security protects the system. Governance decides what it may do.
This page is the first half. For how the model is held to a plan, how every action is vetted, and how trust fails closed, read the governance side.