Security Policy

Your trust is our top priority. At Foveate, we leverage the robust infrastructure and security practices of Google Cloud to ensure your data is protected, compliant, and accessible only to authorized users.

Data Protection

We are committed to following and implementing all applicable guidelines and recommendations with regards to the data and information we handle, process, and store at Foveate.

Data Security

All of Foveate's infrastructure runs on Google Cloud. You can find more information about Google Cloud security practices on their cloud security page.

Data Encryption at Rest

We use Google Cloud services and have configured them to use AES-256 encryption for all data at rest.

Data Transport Security

All communications with Foveate servers is done over TLS. We enforce HTTPS-only connections across all services. Our domain is added to the HSTS Preload List, preventing any non-HTTPS connection at the browser level.

Application Security

Authentication

Email accounts must be verified before a user can create anything on the platform. Foveate.com is whitelisted as the only authorized domain a user can sign up from.

Access Control

User content that is not made public is only accessible if you have been granted individual access or inherited access through a shared project or team. Security rules are applied across the database and storage layers to ensure files remain accessible only to authorized users.

Internally, Foveate employees follow a minimum-access policy. Access to production systems and customer data is granted only to personnel who require it for their role, and is reviewed and revoked when no longer necessary.

Code Security

At Foveate we inspect closely any code before it is released. Our developers inspect the logic and information flows of each new feature to ensure no security vulnerabilities are introduced. We also write tests to ensure the application does not behave in an unexpected way.

Third-Party Dependencies

We monitor third-party libraries for known vulnerabilities using automated scanning tools. Critical vulnerabilities are addressed within 1 business day. Medium-risk vulnerabilities are addressed within 8 business days.

Infrastructure Security

Network Segmentation

Inside our Google Cloud infrastructure we segment our environments, decoupling production from testing and development.

Incident Monitoring

We use monitoring services to alert us on any anomalous behaviour in our infrastructure and to monitor any suspicious activity within our backend systems.

Organizational Security

Security Incident Management

Our systems monitor for anomalous and suspicious activity across the different systems we use to run the platform. These events are fed into a central dashboard that provides us with an overview of how every component is behaving and alerts us if a problem is detected.

Each and every incident at Foveate goes through the same rigorous internal incident management process. This allows us to ensure no stone is left unturned and the root cause of the incident is resolved.

Policy Enforcement

All accounts can be disabled or deleted from our system by an administrator. Projects and user data that contain explicit or illegal content in violation of our content guidelines can be removed.

Public share links that include copyrighted, explicit, or illegal materials can be removed by an administrator. Realtime communication channels and customer support are available for security vulnerability reporting and content takedown requests.

Operational Security

Backups

Foveate's infrastructure is built on top of Google Cloud and we use their services to generate regular backups for our databases that are then retained in accordance with industry best practices. To ensure the data recovery process is working as intended, we execute data recovery exercises regularly.

Self-Hosted Assets

For Enterprise customers, Foveate provides the ability to bring your own server to self-host assets. Foveate becomes the viewer for your work while you retain total control over storage and access.

Self-hosted assets support Amazon S3, Google Cloud, Microsoft Azure, or any other provider. Your IT team can configure access however they see fit, and we provide straightforward tooling to manage CDN links to Foveate.

Non-Disclosure Agreements

Foveate offers NDAs to protect sensitive information, safeguard intellectual property, and maintain confidentiality when engaging support or studio services.

Security Vulnerability Disclosure

We always appreciate when Foveate users and security researchers contact us regarding security vulnerabilities. You can reach us at team@foveate.com.