Security at Futureproof

Last updated: 20th January 2023

At Futureproof we are committed to offering world class data protection standards to ensure your data is safe and your compliance requirements are met.
The goal of Futureproof is to provide a core building block of your sustainability tech stack. A place where you can store all your environmental, social and governance records and documents, follow company growth and accelerate your day to day sustainability operations. This mission can’t be fulfilled without us implementing strict technical measures and following the highest security standards to build up trust with our customers.

Here you’ll find more information on how we approach security, and if you have additional questions feel free to get in touch at support@poweredbyfutureproof.com.

Data centre security
Our hosting environment is fully-redundant with disaster recovery procedures. Our cloud hosting providers maintain multiple certifications for its data centres, including SOC 1, SOC 2, SOC 3, CSA and ISO27001. For more information about their certification and compliance, please visit the Amazon Web Services security site. You can read more about their compliance programmes here.

US hosted infrastructure
Futureproof infrastructure is hosted on servers in the United States (primarily in Oregon). Our data centre provider Amazon Web Services maintains multiple certifications, including SOC 1, SOC 2, SOC 3, CSA and ISO27001. In addition all data is encrypted both in transit and at rest using strong encryption (AES-256).

Communication
All user data is transported securely, as all traffic is encrypted in transit via SSL. Encrypting data in transit protects it from unauthorised snooping, modification, and man-in-the-middle attacks. We use 256-bit SSL/TLS.1.2 encryption, utilising both the ECDSA and RSA algorithms.

Cyber Essentials Plus
We are continually working to improve the effectiveness of our security processes and controls and are working towards Cyber Essentials Plus for 2025. Our approach to product design and architecture, automated monitoring and formal policies allow us to stay up to date on our security posture at all times.

Credit cards
Futureproof does not store any credit card information. We have partnered with GoCardless for credit card processing. All data with GoCardless is encrypted at rest and in transit using strong encryption protocols. You can read more about their security procedures here.

Employee access is limited and audited
Only the people who need access to improve or operate the system have access. We make sure there are several layers of controls that individuals must go through to access customer data. And when they do their routine maintenance, debugging, or servicing of the system, they’re led through an auditing access path that requires them to state the valid consent or justification for the specific access session.

Vulnerability testing
We partner with world leading security providers to perform regular security vulnerability testing of our systems and platform.

Data breach disclosure
In the event of a data breach involving personal data, we will promptly report to the local authority and to the people (data subjects) involved.

Processing of Company Personal Data
Futureproof will comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.

3rd party Sub-Processors
Our sub-processors are leaders in their space and have security as top priority. You can find the list of our sub-processors in our Privacy Policy page.

GDPR commitment
Futureproof is committed to compliance with the General Data Protection Regulation, and meeting our legal obligation by helping our customers become compliant. You can read more about our GDPR compliance in our GDPR page.

Data backups
We run automated backups of our databases to ensure your data stays safe and highly available.

Log collection
We collect detailed logs to ensure we have a high-resolution trail of the actions performed across the platform for any incident investigation if so required.

Software updates
We have automated systems in place that monitor the versions and vulnerabilities in all of the code that powers Futureproof and our infrastructure is continuously updated to the latest and most secure versions of software.

Automated tests
We run an extensive suite of automated tests after each code change to verify correctness of Futureproof features, including authentication and the permission system.

HTTP strict transport security
Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.

Security headers
Our application uses a series of security headers, including X-Frame-Options, X-XSS-Protection and Content-Security-Policy to mitigate a wide range of common security issues.

Reporting security issues
If you believe you have discovered a vulnerability in Futureproof product or have a security incident to report, please contact support@poweredbyfutureproof.com. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Futureproof's prior written approval. Detailed and quality reporting is important to Futureproof. You must include a working Proof of Concept.