Last updated: April 23, 2026·Version: 2026.04
1. Compliance & certifications
FCE One maintains industry-standard security certifications and is audited annually:
- SOC 2 Type II — covers security, availability, and confidentiality. Report available under NDA via security@fceone.com.
- ISO/IEC 27001 — information-security management system.
- PCI DSS Level 1 — handled by our payment processor (Stripe); we never store raw card data.
- GDPR & CCPA — data-protection addendums available for customers and enterprise partners.
2. Platform architecture
FCE One is built as a set of role-scoped services behind a single API gateway. Every service is isolated in its own network segment, deploys behind least-privilege IAM, and is monitored end-to-end. Production runs on AWS across multiple availability zones, with automated failover and point-in-time database recovery.
- All traffic terminates at Cloudflare + AWS WAF before reaching application layers.
- No service is exposed to the public internet except through the gateway.
- All internal traffic is mutually authenticated.
3. Encryption
In transit
- TLS 1.2+ everywhere. HSTS preload on all public domains.
- Modern cipher suites; SSL Labs A+ rating.
At rest
- AES-256 for databases, object storage, and backups.
- Customer secrets are envelope-encrypted with a per-tenant data key, rotated regularly.
- Disk-level encryption on every EC2 volume.
4. Authentication & access control
- Passwords are hashed with Argon2id; we never store or log raw credentials.
- Optional two-factor authentication (TOTP, WebAuthn/passkeys, SMS).
- SSO via SAML/OIDC for business tier (SCIM provisioning on request).
- All session tokens are HttpOnly + Secure + SameSite=Lax with rotating refresh.
- Employee access requires hardware keys and is reviewed monthly.
- Production access is just-in-time and logged.
5. Data handling
Customer data belongs to the customer. We process it only as described in our Privacy Policy and under a Data Processing Addendum where one exists. Highlights:
- Tenant data is logically isolated per account, with row-level authorization enforced at the API gateway.
- Exports are available on request and self-serve in most cases.
- We do not sell personal data and we do not use customer data to train third-party AI models.
6. Resilience & backups
- Production has a 99.95% uptime target (SLA available for enterprise).
- RPO: 5 minutes. RTO: 1 hour. Exercised quarterly.
- Encrypted backups are retained for 30 days across two regions.
- DR runbooks are reviewed twice a year.
7. Subprocessors
A current list of subprocessors is available at any time. Highlights:
- Amazon Web Services — hosting (US East, US West).
- Cloudflare — edge, WAF, DDoS protection.
- Stripe — payment processing (PCI DSS Level 1).
- Twilio / Postmark — SMS and transactional email.
- Sentry — error monitoring (no PII).
- Datadog — observability (structured logs + metrics).
Customers on enterprise plans are notified in advance of any subprocessor change.
8. Monitoring & incident response
- 24/7 paging on-call rotation, primary response SLA < 15 minutes.
- All security-relevant events are streamed to a write-once audit log.
- Anomaly detection on authentication, payouts, and data-export volumes.
- Formal post-incident reviews for every Sev 1 / Sev 2 — root cause, corrective actions, and follow-up tickets are shared internally within 72 hours.
- Material security incidents affecting customer data are notified without undue delay (and always within 72 hours).
9. Responsible disclosure
We welcome reports from the security community. Please email security@fceone.com with a clear description, steps to reproduce, and any supporting artifacts. PGP key available on request.
If you act in good faith and within the scope below, we will not take legal action:
- In scope: *.fceone.com web apps, public APIs, mobile apps.
- Out of scope: physical tests, social engineering, DoS/volumetric testing, third-party services.
- Please don't access data that isn't yours. Create a test account if you need one.
We respond within 2 business days, keep you updated, and recognize researchers on our Hall of Fame with permission.