Trust & Security at FI Digital
Trust & Security at FI Digital
US SMB buyers now expect clarity on AI use, data handling, access controls, and implementation posture early in the buying cycle. This page pre-answers the questions your security, compliance, and legal teams will ask. If something is not covered here, email privacy@fidigital.com and we will send the relevant documentation under NDA.
Delivery Security Posture
SOC 2 Type II Alignment
Our delivery practices align with SOC 2 Type II controls — access management, change management, monitoring, and vendor risk.
Signed Summaries
A signed Delivery Security Summary is available on NDA for every engagement.
Regional Defaults
All client workloads deploy on US regions by default: AWS us-east / us-west, Azure East US / Central US, Zoho US data centers, Snowflake AWS US, Databricks AWS US.
DPA & BAA Support
All engagements start with a signed MSA plus a DPA. BAAs are signed when PHI is in scope.
RBAC & Time-Bounded Access
Role-based access control, least-privilege, and time-bounded access for FI Digital staff on client systems.
No Derivative Rights
All client code is versioned in client-owned repositories; we do not retain derivative rights.
Data Handling & Privacy
Enterprise-grade compliance frameworks applied to all data ingestion, migration, and transformation processes.
Comprehensive Data Act Alignment
CCPA / CPRA, Virginia CDPA, Colorado Privacy Act, and Connecticut Data Privacy Act aligned data handling for customer data flows.
Financial Security Expectations
GLBA Safeguards Rule aligned handling for financial-services client workloads.
Healthcare Compliance & BAA
HIPAA-aligned delivery with signed BAA for healthcare-adjacent workflows.
Classification & Encryption
Data classification, PII tagging, and encryption at rest and in transit on every production build.
Retention & Deletion
Data retention and deletion policies scoped per engagement.
AI Governance
Every AI pilot ships with: a model card; prompt and output logs retained 90+ days; an evaluation set run before every production change; a human-in-the-loop escalation path; and a kill-switch that turns off the AI without a deploy. We do not ship autonomous agents into customer-facing workflows without approved guardrails.
Enterprise Foundation Models
Claude (Anthropic), GPT-4o / GPT-5 (OpenAI), AWS Bedrock, Azure OpenAI, and open models (Llama, Mistral) on AWS / Azure where air-gap is required.
No Training on Prompts
All enterprise / API plans confirm no-training-on-prompts, safeguarding corporate IP.
State AI Law Alignment
Colorado AI Act, Utah AI Policy Act, Illinois AI Video Interview Act, NYC Local Law 144.
Contextual AI Disclosures
AI disclosure plan scoped per engagement to match jurisdictions where the pilot touches customers or employees.
Access Model
Zero-trust architecture governing staff interactions with systems.
Strict SSO & MFA Policies
Our staff access to client systems is SSO-enforced, MFA-enforced, time-bounded, and logged.
Rapid Offboarding Protocols
We offboard staff from client systems within 24 hours of engagement change.
Subcontractor Compliance
Any subcontractors are named, approved, and contractually bound to the same posture.
Zero Unauthorized Offshore Access
We do not permit offshore access to client PHI or regulated financial data without an explicit, contractually bound agreement.
Insurance & Entity
Registered corporate credentials and active risk coverage protecting client interests.
US Registered Entity
FI Digital LLC — a US legal entity headquartered in Atlanta, Georgia.
Professional Indemnity Insurance
Professional indemnity / E&O insurance in place for all client scopes.
General Liability
General liability insurance active across US operations.
Cyber Liability
Enterprise cyber liability insurance in place.
Available Under NDA
Certificates of insurance are available on request under NDA.
Trust — Frequently Asked Questions
Are you SOC 2 Type II certified?
Our delivery practices align with SOC 2 Type II controls and a Delivery Security Summary is available on NDA. Clients seeking a full SOC 2 Type II report from a vendor should reach out — we will scope the evidence, controls, and subservice posture.
Will my data be used to train an AI model?
No. We deploy on enterprise / API plans that do not retain or train on prompts. We contractually confirm this in every engagement.
Can you sign a BAA?
Yes, where PHI is in scope.
What about international data transfer?
We default to US-region hosting. Cross-border transfer is scoped explicitly when required (e.g., Canadian clients with Canadian-resident users).
Do you conduct penetration testing?
Production builds ship with static analysis and dependency scanning on CI. Full penetration testing is scoped separately, often via a client-chosen third-party testing firm.