Security & IP

Your designs are yours.
Full stop.

Requirements, boards, and firmware are the crown jewels — and a tool that touches them has to earn trust in writing, not adjectives. Here's how we protect your data, what's true today, and what's still roadmap. We'll always tell you which is which.

The core promise

We never train on your data.

Your requirements, schematics, netlists, BOMs, firmware, and design history are never used to train any model — ours or anyone else's. Your data is processed to do the work you asked for, and that's it. It isn't mined, resold, or fed back into model improvement.

  • No training, ever — contractually committed.
  • Your data is yours; export or delete it anytime.
  • No third-party model provider trains on it either.
◆  data handling · power-sensor-node
Design data your workspace
Processed for your request transient
Used for training never
Encrypted in transit & at rest AES-256 / TLS
Security posture

The controls, laid out.

◆ Training
No-training guarantee

Your design data never trains any model. Committed in the contract.

◆ Roadmap
SOC 2 Type II

Independent audit planned as we exit early access. Until it's done, we won't claim it — ask us for our current controls instead.

◆ Encryption
In transit & at rest

TLS in transit, AES-256 at rest, across the whole platform.

◆ Residency
US data residency

Know where your data lives. GovCloud-compatible options for controlled work.

◆ Access
SSO & RBAC

SAML/OIDC single sign-on and role-based access on Enterprise.

◆ Audit
Immutable audit log

Every change, who and when — the same trail that powers compliance.

◆ Disclosure
Vulnerability program

A published security.txt and a responsible-disclosure process.

◆ Roadmap
On-prem & air-gap

Self-hosted, air-gapped deployment for ITAR programs — on the roadmap.

Deployment

Cloud today. Self-hosted on the way.

The Fara products run in a secure US cloud on frontier AI models — which is what makes the agents as capable as they are. Self-hosted and air-gapped deployment for the most sensitive programs is on the roadmap.

Straight talk on air-gap & ITAR

Fully air-gapped, on-prem deployment is not shipping yet — today's local models aren't powerful enough to match the cloud experience, and we won't ship a degraded one. For controlled programs, the path we support first is certified US-based cloud infrastructure (GovCloud-class); local models come later as they become genuinely usable. So we're upfront: Fara fits commercial and civil work, non-classified programs, and controlled US-cloud environments right now. If you have a specific compliance boundary, let's map it together.

Compliance

Beyond platform security.

Platform security keeps your data safe. Product compliance keeps your board auditable — the traceability spine and standard-specific packs that regulated industries require.

◆ Roadmap
SOC 2 Type II

Independent audit planned as we exit early access.

◆ Product
DO-254 evidence

Design-assurance evidence for airborne hardware. Learn more →

◆ Product
DO-178C evidence

Trace, tests, and measured coverage for airborne software. FaraSW →

◆ Product
ISO 26262 / IEC 60601

Automotive & medical compliance packs to follow.

Security FAQ

The questions your security team will ask.

Do you train any model on our design data?+
No. Not our models, not any third-party model provider we use. Your data is processed only to perform the work you request, and it is never used for training.
Where is our data stored?+
In a secure US cloud, encrypted at rest (AES-256) and in transit (TLS). US data residency with GovCloud-compatible options is available for controlled work.
Are you SOC 2 certified?+
Not yet, and we won't imply otherwise. The Type II audit is planned as we exit early access. In the meantime we'll walk your security team through our current controls and complete your questionnaire honestly.
Do you support SSO and role-based access?+
Yes, on Enterprise: SAML/OIDC single sign-on, role-based access control, and an immutable audit log of every change.
Can we run Fara on-prem or air-gapped?+
Not yet — it's on the roadmap. We currently run in a secure US cloud on frontier models, with certified US-cloud (GovCloud-class) options as the first step for controlled programs. Talk to us about your compliance boundary and timeline.
How do we report a vulnerability?+
Through our published security.txt and responsible-disclosure process. We respond promptly and credit reporters.

Bring your security team. We'll answer everything.

Review our controls, get straight answers on what's certified and what isn't, or map a compliance boundary with us.