Security & Trust
You manage information that cannot be public. Beneficial ownership records, entity structures, succession plans, trust instruments — the data in Foli is sensitive by definition. We designed the platform to meet the security and privacy expectations of UHNW family offices, not just general SaaS standards.
AES-256
Encryption at rest
TLS 1.2+
In-transit encryption
7-Year
Audit log retention
SOC 2
Type II in pursuit
At Rest
All data encrypted at rest using AES-256. Entity records, ownership data, documents, and audit logs are encrypted in storage.
In Transit
All communication between your browser and Foli uses TLS 1.2 or higher. No unencrypted data transmission.
Document Storage
Documents stored in Foli's encrypted cloud storage by default. Enterprise customers may elect self-hosted document storage — your documents never leave your environment.
Role-Based Permissions
Every user has a defined role — principal, operations, read-only advisor, external counsel. Access is scoped to what each role requires.
External Advisor Access
Outside counsel, accountants, and trustees receive read-only access to specific entities or document sets you designate — not your full structure.
Multi-Factor Authentication
MFA is required for all accounts. Enterprise plans support SSO/SAML with Okta, Azure AD, and Google Workspace.
Session Management
Configurable session timeouts. Forced re-authentication on sensitive actions.
Immutable Logs
Audit logs cannot be modified or deleted by users or administrators.
Comprehensive Coverage
Entity creation, ownership updates, document uploads, compliance status changes, user logins, export events — all captured.
7-Year Retention
Audit logs retained for a minimum of 7 years on Business and Enterprise plans.
Exportable
Pull audit logs for any time period for internal review or counsel. When your attorney asks who changed that ownership record, the answer is there.
Cloud Hosting
Foli runs on AWS infrastructure in the United States. U.S. data residency by default; Enterprise customers may request alternative regions.
Uptime SLA
99.9% uptime SLA on Enterprise plans. Business plans target 99.5%. Current status at status.foli.io.
Backups
Automated daily backups with 30-day retention. Point-in-time recovery on Business and Enterprise plans.
Penetration Testing
Annual third-party penetration testing. Summary reports available to Enterprise customers on request under NDA.
Compliance Posture
Foli is in active pursuit of SOC 2 Type II certification. Our controls are designed to meet SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality. We will share our SOC 2 report with Enterprise customers upon completion.
We comply with CCPA/CPRA and GDPR requirements. Data Processing Agreements available on Enterprise plans.
We do not sell, license, or share your data with third parties for commercial purposes. Your entity structure, ownership records, and document contents are yours.
We understand that family offices conduct formal vendor due diligence before deploying software that handles sensitive ownership and compliance data. We support that process.
Available on request (Enterprise):
Where is my data stored?
On AWS infrastructure in the United States. Enterprise customers may request alternative data residency configurations.
Can Foli employees see my entity structure or documents?
Foli employees do not have access to customer entity data or documents in the normal course of operations. Support staff may access data with your explicit permission to resolve a specific support issue. All access is logged.
What happens to my data if I cancel?
You can export your full dataset before cancellation. After account deletion, data is purged within 90 days. Audit logs required for compliance may be retained longer per applicable law.
Do you offer a self-hosted option?
Enterprise customers may use self-hosted document storage (MinIO or S3-compatible) so document files never leave their own infrastructure. Core application data is stored in Foli's managed database infrastructure.
How do you handle a security incident?
We maintain a documented incident response plan. In the event of a confirmed breach affecting customer data, we will notify affected customers within 72 hours of discovery, consistent with applicable breach notification laws.
Is Foli SOC 2 certified?
We are in active pursuit of SOC 2 Type II certification. Our controls are designed to meet SOC 2 requirements. Enterprise customers may request a controls summary and our anticipated certification timeline.
Our security team is available for pre-sales security reviews, due diligence questionnaires, and vendor risk conversations. Contact us before the demo — we'll come prepared.