Security at Frame

Your prompts and data are at the core of what we protect. Security is built into every layer of our platform.

Infrastructure Security

Encrypted data at rest and in transit, network isolation, and hardened cloud infrastructure with automatic failover.

Application Security

Role-based access control, input validation, CSRF protection, and secure authentication with session management.

Data Protection

AES-256 encryption at rest, TLS 1.2+ in transit, automated backups, and disaster recovery procedures.

AI Data Security

Strict tenant isolation for prompts, encrypted API connections to AI providers, and zero model training on your data.

1. Our Commitment to Security

At Frame, security is not an afterthought — it is a foundational principle. We understand that the prompts and knowledge your team creates are sensitive intellectual property, and we treat them with the highest level of care. Our security practices are designed to protect your data throughout its lifecycle.

2. Infrastructure Security

Our infrastructure is built with defense-in-depth principles:

  • Cloud hosting: Deployed on enterprise-grade cloud infrastructure with SOC 2 certified data centers
  • Network isolation: Application components are isolated in private networks with strict firewall rules
  • DDoS protection: Automated detection and mitigation of distributed denial-of-service attacks
  • Monitoring: 24/7 infrastructure monitoring with automated alerting for anomalies
  • Redundancy: Multi-zone deployment with automatic failover to maintain 99.9% uptime

3. Application Security

Security is embedded throughout our software development lifecycle:

  • Authentication: Secure cookie-based sessions with encrypted credentials and automatic expiration
  • Authorization: Role-based access control (RBAC) with four permission levels — Owner, Admin, Editor, and Viewer
  • Input validation: All user inputs are validated and sanitized to prevent injection attacks
  • CSRF protection: Anti-forgery tokens on all state-changing operations
  • Secure headers: HTTP security headers including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security

4. Data Protection

Your data is protected with industry-standard encryption:

  • Encryption at rest: All data stored using AES-256 encryption in our SQL Server databases
  • Encryption in transit: All communications secured with TLS 1.2 or higher
  • Password security: User passwords are hashed using modern cryptographic algorithms; plaintext passwords are never stored
  • Backups: Automated daily backups with encrypted storage and regular restoration testing
  • Data isolation: Each organization's data is logically isolated at the database level

5. AI Data Security

We take special care with how your prompts are handled by AI providers:

  • Encrypted transmission: Prompts are sent to AI providers (Anthropic/Claude, Google/Gemini) over encrypted API connections
  • Tenant isolation: Your prompts are never mixed with other organizations' data during processing
  • No model training: We have contractual agreements with our AI providers that prohibit the use of your data for model training
  • Minimal data exposure: Only the prompt text required for transformation is sent to AI providers — not your account details, organization data, or metadata
  • Audit trail: All AI processing requests are logged for security auditing and compliance

6. Access Control

We enforce strict access controls both within the application and internally:

  • Principle of least privilege: Employees are granted the minimum access necessary to perform their roles
  • Access reviews: Regular reviews of employee access rights and permissions
  • Audit logging: All administrative actions are logged and monitored
  • Separation of duties: Production systems access is limited and requires multi-party authorization for sensitive operations

7. Incident Response

We maintain a formal incident response plan:

  • Detection: Automated monitoring and alerting systems detect potential security incidents
  • Response: A dedicated team triages and responds to security events
  • Notification: Affected users will be notified within 72 hours of a confirmed data breach, in compliance with GDPR requirements
  • Post-incident: Root cause analysis and remediation measures are implemented after every incident

8. Compliance

Frame is committed to meeting the following compliance standards:

  • GDPR: Full compliance with the EU General Data Protection Regulation, including data subject rights, data processing agreements, and privacy-by-design principles
  • Data Processing Agreements: We maintain DPAs with all sub-processors, including our AI providers and infrastructure partners

9. Responsible Disclosure

We welcome security researchers who help us keep Frame secure. If you discover a security vulnerability, please report it responsibly:

  • Email: security@useframe.co
  • Response time: We will acknowledge your report within 48 hours
  • Guidelines: Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
  • Scope: Please only test against your own accounts. Do not access or modify other users' data

Questions About Security?

Our team is happy to discuss our security practices and answer any questions you may have.

Contact Security Team Privacy Policy