Trust & Compliance
Security & Compliance
FARchat is built on enterprise-grade infrastructure and is actively pursuing federal security standards. We document our compliance status honestly so you can make informed decisions.
Compliance Roadmap
4 certifications tracked
Pursuing FedRAMP
We are actively working toward FedRAMP authorization to meet federal cloud security standards for government use.
Last updated: February 2026
WCAG 2.2 AA / Section 508
Every public page is audited with axe-core and Lighthouse. Zero violations on all public routes as of our last audit.
Last audited: January 2026
SOC 2 Type II
Our architecture is designed to support SOC 2 Type II compliance. A formal audit is planned for general availability.
Target: Q4 2026
ITAR Architecture
Infrastructure and data flow are architected to support ITAR export control requirements. No foreign-hosted data processing.
Under review: 2026
Transparency Note: FARchat is currently in beta. Certifications marked as “Pursuing” or “Planned” are not yet complete. We document our compliance status honestly to help you make informed decisions about using our platform.
Security Practices
6 areas
Data Encryption
- AES-256 encryption for all data at rest
- TLS 1.3 for all data in transit
- Encrypted database backups via Supabase
- Environment secrets stored in Vercel vault
Access Control
- Row-Level Security (RLS) enforced in Supabase
- Role-based access control (RBAC)
- Session management with automatic timeout
- Supabase Auth with OAuth and magic links
Infrastructure
- Deployed on Vercel Edge Network (US regions)
- Database hosted on Supabase (US-East-1)
- No foreign data routing or processing
- DDoS protection via Vercel edge
Data Privacy
- No PII stored beyond account email
- Chat sessions isolated per user
- Queries never used to train AI models
- Data deletion available on request
Monitoring
- Error tracking via Sentry
- Uptime and latency checks
- Anomaly detection and alerting
- Comprehensive audit trails via Supabase
Incident Response
- Documented incident response runbook
- Responsible disclosure policy
- 48-hour acknowledgment SLA for reports
- Post-incident reports for critical issues
Questions about security?
Reach out to our team for security questionnaires, compliance documentation requests, or vulnerability disclosures. We acknowledge reports within 48 hours.