Facti AI

LEGAL

Security Overview

Facti AI
DRAFT — pending legal review. This security overview is a working draft. It describes our current practices in good faith. We are still building out our security program. Questions or concerns? Email contact@facti.ai.
Effective date: May 14, 2026·Last reviewed by counsel: Pending

Our approach

Facti AI is an independent AI product studio. We build software in the trust space — identity verification, deepfake detection, media authenticity. We take security seriously not just for our customers but because trust is what we build.

This page describes how we approach security across the facti.ai marketing website and the company's operations. Each of our products has its own security posture documented on its own product site, with controls tailored to what that product handles.

We don't make claims we can't back up. Where we don't yet have a particular control or certification, we say so honestly.

Infrastructure

The facti.ai marketing website is a statically generated site (Next.js with static export). It serves prerendered HTML, CSS, JavaScript, and image files — no application server, no database, no user session state on the marketing site itself. This dramatically reduces the website's attack surface compared to dynamic applications.

The site is hosted on a managed hosting provider that handles physical security, network-level protections, and platform-level patching for its infrastructure.

The site source code is stored in a private GitHub repository. Access to the repository is limited to authorized personnel using strong authentication.

Encryption

In transit. All traffic to and from facti.ai is served over HTTPS using TLS 1.2 or higher, with valid certificates issued by a recognized certificate authority. Insecure HTTP requests are redirected to HTTPS.

At rest. Information stored by the company (email inboxes, internal documents, source code) is encrypted at rest by the underlying service providers.

Access controls

We follow the principle of least privilege. Internal systems and services use strong authentication, including:

  • Multi-factor authentication on critical accounts: source control, email, hosting control panel, DNS, and payment systems
  • Password managers for credential storage
  • Unique, randomly generated passwords for each service
  • Time-bound access for any third-party contractors or collaborators

We don't share credentials. Personnel changes trigger access review.

Software supply chain

The website is built from open-source dependencies (Next.js, React, Tailwind CSS, lucide-react). We:

  • Pin dependency versions in our package lock file
  • Monitor for security advisories on the dependencies we use
  • Apply security updates promptly when patches are available

We don't include any third-party tracking scripts, advertising pixels, or analytics services that haven't been reviewed.

Vulnerability management

We pay attention to security advisories affecting the technologies we use. When a vulnerability is identified in a dependency or platform we rely on, we evaluate exposure, apply patches, and verify the fix.

If you discover a vulnerability in the facti.ai website (or our products), please report it to contact@facti.ai. We'll acknowledge the report within seventy-two hours and keep you informed as we work to fix it.

We currently don't operate a paid bug bounty program. We do recognize and credit researchers who report issues responsibly.

Responsible disclosure

If you're a security researcher and you've found something, please:

  • Email contact@facti.ai with a clear description of the issue and reproduction steps
  • Give us reasonable time to investigate and fix the issue before any public disclosure
  • Avoid accessing or modifying data that doesn't belong to you, and don't disrupt service

We won't pursue legal action against researchers who follow these guidelines in good faith.

Incident response

If we identify a security incident that affects our website or your information:

  • We investigate to determine scope and impact
  • We take steps to contain and remediate the issue
  • We notify affected parties as required by law, and where appropriate, even when not strictly required
  • We document the incident and apply lessons learned to our processes

Compliance and certifications

We are honest about our current state. As a small, independent studio, we do not currently hold formal security certifications such as SOC 2 or ISO 27001. Where individual products require formal compliance (for example, KYCShield serving financial institutions), those certifications are pursued at the product level on the product's own timeline.

We follow security best practices and design our systems to align with established frameworks (NIST CSF, OWASP Top 10), but we don't claim certifications we haven't earned.

Third-party providers

Some functions are handled by third-party providers (email, hosting, source code management, DNS). We choose providers that maintain strong security postures themselves and review their security documentation before adoption.

We aim to minimize the number of providers we depend on and avoid services that don't meet our security expectations.

Changes and updates

Security practices evolve. We update this page when our practices change. For material changes, we'll note them on the website. The effective date at the top of this page reflects the most recent update.

Contact

Security questions, concerns, or vulnerability reports: email contact@facti.ai.

Facti AI LLC

Colorado Springs, Colorado

United States