Security Statement
Effective: May 03, 2024
Your customer-facing communications can be sensitive and proprietary — for all participants. Frame AI takes its commitment to safeguard these communications seriously, making it a top priority in product design, system architecture, and internal processes. We want our customers to feel confidence that their information is safe, their interactions are secure, and both their businesses and their clients are protected.
Frame AI is SOC 2 Type II Certified. Frame AI is HIPAA Compliant for enterprise deployments and can sign a BAA.
Data center and network security
All Frame AI services are hosted at AWS data centers which meet (and set!) highest standards for cloud security. A sensitive alerting scheme is built into each of our component services, and our engineering team is on call 24/7 to respond to security alerts and events.
Application security
Frame AI’s web application and system integrations are engineered to minimize attack surface and maximize applications of established standards for authentication and cryptographically safe exchange. We regularly audit our system designs with external security professionals.
Product security features
Frame AI’s authentication systems are designed to mesh with those of your existing customer communication tools using oAuth 2.0, making it easy to centrally manage authentications an permissions. All interchange with third-party systems is conducted using HTTPS, and Frame AI fully implements all additional supported security measures including verification of shared secrets and IP permitlisting.
Compliance and privacy support
As a data processor, we aim to help our customers easily meet all requirements posed by their own regulatory and customer environments. For customers facing GDPR requests, we will promptly produce records of stored information and respond to requests for data deletion with minimum disruption to ongoing services. For further protection, custom data retention policies are available as part of enterprise engagements.
| Systems security | |
|---|---|
| Facilities | Frame AI's services are hosted at AWS' ISO 27001 compliant facilities. Our system architecture logically isolates each customer dataset, and strict single-tenancy is available for enterprise customers. Data center facilities maintain strict physical security and redundant power supplies. |
| Physical Security | AWS maintains a strict physical security policy, permitting access only by authorized employees, under surveillance, with incident-specific approval for each physical access. |
| Monitoring | All Production Network systems, networked devices, and circuits are constantly monitored by both Frame AI staff and automated incident detection systems. Infrastructure errors are monitored by AWS and alert our engineering team. |
| Location | Frame AI's application is served from the US-East region, but private cloud deployment into other regions is available as part of an enterprise contract. |
| Data Security and Privacy | |
|---|---|
| Encryption in Transit | Communications between Frame AI and all remote clients and services are encrypted according to industry best-practices HTTPS and Transport Layer Security (TLS). Where possible, we implement shared secrets and IP whitelists to further reduce the available attack surface. |
| Encryption at Rest | Frame AI segments its data storage into short term operational stores and long term persistent storage. Data in short-term storage is accessible only within our own cloud, and is regularly purged. All data in long term storage, including all Personally Identifiable Information, is encrypted at rest. |
| Developer and Support Access | Data logs are divided into three tiers, separating aggregate system information, communication metadata, and communication contents. This allows our internal permissions and tools to expose only data relevant for a specific task |
| Data retention and usage | Frame AI considers itself to be a custodian, and not owner, of all conversations and annotations we process on behalf of customers. We do not use conversational data for any purposes other than providing services to our customers. Data deletion is available upon any termination of paid service, and custom retention policies are available with enterprise plans. |
| GDPR compliance | Frame AI has been built from the ground up to support end user data rights, including our responsibilities as a data processor under GDPR. Upon receipt of a GDPR request directly from an end user, we will endeavor to identify any clients for whom we have processed data on behalf of that user, and forward said request to them. In conjunction with any GDPR request received by a customer, we will coordinate to export or delete end user data as needed. |
| Security policies | |
|---|---|
| Third-Party Review | Frame AI engages external security professionals to regularly review our architecture and complete penetration tests. |
| DDoS Mitigation | Exposed Frame AI IPs are protected by AWS Web Gateway's DDOS protection framework, designed to scale with significant attacks. |
| Employee Access and Training | Employees are granted granular permissions according to the Least Access principle, so that they may only read and write system data and configuration relevant to their active projects. All employees are trained and sign on acceptance of security policies during onboarding. |
| Security Incident Response | In case of a system alert, events are escalated 24/7 to our operations team. Employees are trained on security incident response processes, including communication channels and escalation paths. |
| Third Party Services | Frame AI vets all third party services and configures them to meet at or above our own security standards. |
Contact Us
If you have any questions about this Security Statement, please contact us at support@frame.ai.