Security practices
A venture platform holds real things: your ideas, your contacts, your sending identity. Here is how we protect them, stated plainly, including the parts where we are still early.
Isolation and access
- Every workspace is tenant-isolated: your ventures, contacts, campaigns, and artifacts are scoped to your tenant at the data layer, and cross-tenant access by our own admin tooling is audited.
- Sign-in runs through a dedicated identity provider; we never see or store your password.
- Team access is by explicit email invitation with a strict-match accept flow and role-based permissions.
Data protection
- Data in transit is encrypted with TLS. Data at rest is encrypted by our managed infrastructure providers.
- Secrets (like your sending credentials) are held by reference in a secrets store, never in our database.
- We do not store card data. Payments are processed by Stripe, which holds the payment instrument; we keep only the subscription state.
- Your owned data, meaning contact rows, lead lists, and personal information, is never sent to an external AI provider. The full boundary is documented on the AI transparency page.
Email safety
- Sending rides your own Amazon SES identity, so your domain reputation stays under your control.
- Suppression (unsubscribed, bounced, do-not-contact) is enforced on every send, always.
- Every message carries a one-click unsubscribe and the sender information CAN-SPAM requires. A human triggers every send; there is no autopilot to misfire.
Where we are early, said plainly
We hold no compliance certifications yet; a SOC 2 program is on the roadmap for when the company's size justifies the audit, and this page will say so the day that changes. If your evaluation needs specifics before then, write to us and we will answer the questionnaire honestly.
Found a vulnerability? Please report it to notifications@footholdfoundry.com with enough detail to reproduce it. We read every report, we will respond, and we will not take legal action against good-faith research.