Security

Security is at the core of everything we do at FuseGov.

Our Security Commitment

As a governance platform for autonomous systems, security isn't just important—it's our entire value proposition. We practice what we preach and implement defense-in-depth across our infrastructure.

Infrastructure Security

Hosting and Network

  • Cloud Provider: Hosted on Vercel with AWS backing
  • Encryption in Transit: TLS 1.3 for all communications
  • Encryption at Rest: AES-256 for stored data
  • DDoS Protection: Cloudflare CDN with rate limiting
  • Network Isolation: VPC segmentation for sensitive workloads

Application Security

  • Authentication: Multi-factor authentication (MFA) required
  • Authorization: Principle of least privilege
  • API Security: Rate limiting, request validation, API keys
  • Input Validation: All user inputs sanitized and validated
  • CSRF Protection: Token-based protection on all state-changing requests

Data Protection

Data Handling

  • Data Minimization: We collect only what's necessary
  • Data Retention: Logs retained for 90 days, audit trails for 7 years
  • Data Deletion: Secure deletion when requested
  • Backup Encryption: All backups encrypted with separate keys

Access Controls

  • Employee Access: Role-based access control (RBAC)
  • Production Access: Requires MFA and is logged
  • Secrets Management: Encrypted vaults, rotated regularly
  • Audit Logging: All access logged and monitored

Security Practices

Development

  • Code Review: All code reviewed before deployment
  • Static Analysis: Automated security scanning in CI/CD
  • Dependency Scanning: Regular vulnerability checks
  • Secrets Scanning: No credentials in code repositories

Operations

  • Monitoring: 24/7 security monitoring and alerting
  • Incident Response: Documented procedures and on-call rotation
  • Penetration Testing: Annual third-party security assessments
  • Vulnerability Management: Patches applied within SLA

Compliance

Certification Status

⚠️ Current Status: Not Yet Certified

FuseGov is currently in beta. We are working toward formal certifications as part of our roadmap.

Our architecture is designed to support the following standards:

  • SOC 2 Type II: Architecture designed for SOC 2 requirements (certification in progress, target Q3 2026)
  • ISO 27001: Controls aligned with ISO 27001 framework (formal certification planned)
  • GDPR: Privacy-by-design principles implemented
  • CCPA: California consumer privacy controls supported

Data Handling

Understanding what FuseGov sees and stores:

  • What We See: Metadata about tool calls (tool name, parameters structure, agent ID, timestamps). Full payloads only when required for policy evaluation.
  • What We Store: Decision logs and enforcement metadata. Configurable options for payload storage: full payload, hash-only, or redacted.
  • Retention: Configurable retention periods. Default 90 days for decision logs, 7 years for audit trails (EU AI Act alignment).
  • Encryption: TLS 1.3 in transit, AES-256 at rest for all stored data.

Industry Standards

We follow these security frameworks:

  • OWASP Top 10
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls
  • IEC 62443 (for SCADA/ICS)

Responsible Disclosure

Security Vulnerabilities

If you discover a security vulnerability in FuseGov, we appreciate your responsible disclosure:

Reporting Process

  1. Email: security@fusegov.com
  2. Include detailed description and reproduction steps
  3. Do not publicly disclose until we've had time to respond
  4. We'll acknowledge receipt within 24 hours
  5. We'll provide a remediation timeline within 72 hours

Bug Bounty

We're setting up a formal bug bounty program. In the meantime, we recognize researchers who help improve our security.

Out of Scope

The following are explicitly out of scope:

  • Social engineering attacks
  • Physical attacks against our facilities
  • Denial of service attacks
  • Spam or social engineering of our employees
  • Reports from automated tools without validation

Security Features for Customers

Built-in Protection

  • Audit Trails: Cryptographically verifiable decision logs
  • Access Control: Fine-grained permission management
  • Encryption: End-to-end encryption for sensitive data
  • Monitoring: Real-time security event monitoring

Your Responsibilities

To maintain security, you should:

  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Keep API keys secure
  • Review access logs regularly
  • Report suspicious activity immediately

Incident Response

In Case of Breach

If we experience a security incident:

  • We'll notify affected users within 72 hours
  • We'll provide details on what data was affected
  • We'll explain what actions we're taking
  • We'll offer recommendations for affected users

Security Updates

We publish security advisories for significant vulnerabilities. Subscribe to our security mailing list: security-announce@fusegov.com

Questions?

For security-related questions:
Email: security@fusegov.com
PGP Key: Available upon request

Security Contact

For security vulnerabilities or concerns:

Report Security Issue