Sign In
Your documents are secure with FYI
We take the security of your sensitive data seriously. Security is embedded into the culture at FYI and is an integral part of how we operate.
Compliance

FYI has achieved its SOC 2 Type 2 certification and is audited annually. Please contact compliance@usefyi.com for FYI’s latest SOC 2 report.

FYI is currently undergoing its International Organization for Standardization’s (ISO) information security standard 27001 certification.

We are GDPR compliant as a data processor. For more information, visit https://usefyi.com/gdpr-faq/.

Infrastructure security

FYI hosts all data utilizing industry-leading US-based Amazon Web Services (AWS) facilities, which include 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.

Data submitted to FYI by authorized users is considered confidential. All data sent to or from FYI infrastructure is encrypted in transit using Transport Layer Security (TLS) v1.2. All data is encrypted at rest using military-grade AES-256 encryption. High risk data have multiple levels of encryption applied.

FYI infrastructure is continually monitored for security vulnerabilities and updates applied automatically.

Policies and procedures

The following policies are followed and enforced at FYI:

Acceptable Use Policy, Asset Management Policy, Backup Policy, Change Management Policy, Code of Conduct, Cryptography Policy, Data Classification Policy, Data Deletion Policy, Data Protection Policy, Incident Response Plan, Information Security Policy, Password Policy, Physical Security Policy, Responsible Disclosure Policy, Risk Assessment Program, System Access Control Policy, Vendor Management Policy, Vulnerability Management Policy.

These policies are followed by all FYI employees, who review and accept the policies a minimum of once per year.

Vendor management

FYI uses a number of third party applications and services to support the delivery of our products to our customers. FYI's Security team has established a vendor management program that sets forth the requirements for FYI to engage with third party service providers. For a complete list of FYI's third party service providers, visit https://usefyi.com/third-party-infrastructure/

Training and awareness

FYI requires all employees and contractors to sign a confidentiality agreement prior to their start date.

During FYI's onboarding process, all new hires are required to complete a security awareness training. All employees and contractors continue to take a security awareness training annually.

FYI's engineering team gets additional training focused on design patterns and the technical aspects of FYI infrastructure security. As an added layer of diligence, every code change is evaluated from a security perspective.

Data protection

Access to customer data is limited to functions that have a business requirement to do so.

Employees are required to use a VPN to access AWS resources, and all servers and databases are inside of VPC with minimum access policies. Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). FYI has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.

FYI employees are given minimum access to customer data based on their responsibilities. All employee access to systems is logged and audited for security purposes.

FYI runs automated container and application security scans on a daily basis, and package dependency security advisory scans on a weekly basis. In addition, FYI undergoes penetration testing by a third party at least annually. We also maintain separate production and testing environments.

Frequently Asked Questions
What information does FYI ingest?
The following information is ingested from APIs that customers connect to FYI:
  • Integration access tokens (where applicable).
  • Document metadata including: Title, links, filename, file type, folders, permissions, collaborators.
  • Document collaborator data, including: Name, email, avatar image.
Does FYI ingest the contents of documents?
FYI does not ingest, index or store the contents of documents and files.
Does FYI have write access?
FYI restricts to read-only access where possible. However, in some cases, FYI needs write access in order to support product functionality for its customers. Please contact compliance@usefyi.com for a list of specific scopes and permissions required to set up FYI.
Which applications are available on FYI?
Full document visibility at the company-level is available for Google Workspace (G Suite) administrators. Google Workspace, Dropbox, Box, OneDrive and more are available for the FYI enterprise search application. For a full list of integrations, visit usefyi.com/integrations.
Does FYI undergo regular penetration testing?
FYI undergoes penetration testing by external parties at least once per year.
How can I submit a security issue or ask a question?
If you have any security related questions, or have discovered a vulnerability, we would love to hear from you. Please send an email to privacy@usefyi.com so that we may address your security questions or concerns.
Does FYI comply with GDPR?
FYI is in compliance with GDPR. For more information, visit https://usefyi.com/gdpr-faq/.
Does FYI have a dedicated security team?
We consider every single employee to be a member of the security team, and are dedicated to keeping all of our data and our customers' data secure. Members of the executive and engineering team serve as security officers at the company.
Can customer data be deleted from FYI?
Data can be deleted on behalf of a customer for that customer.
Where is customer data hosted?
Customer data is hosted in secure Amazon Web Services (AWS) facilities.
Is customer data encrypted?
All data sent to or from FYI infrastructure is encrypted in transit using Transport Layer Security (TLS) v1.2. All data is encrypted at rest using military-grade AES-256 encryption. High risk data have multiple levels of encryption applied.
Does FYI conduct due diligence of its potential vendors?
Every new vendor is vetted in accordance with FYI’s Vendor Management Policy. Vendors must submit copies of their SOC 2 or other relevant compliance reports and are assessed for risk related to their access to personal data.
Got questions about FYI?