F47 Core

Security

Last updated: May 10, 2026

At F47 Systems, Inc., the security of your data is foundational to everything we build. F47 Core is designed from the ground up with enterprise-grade security practices. This page describes the technical and organizational measures we implement to protect your information.

1. Infrastructure & Hosting

  • Cloud hosting: F47 Core is hosted on Vercel's global edge network, providing enterprise-grade infrastructure with automatic failover, DDoS protection, and global CDN distribution.
  • Database: All customer data is stored in Neon serverless PostgreSQL, hosted in SOC 2 Type II compliant data centers in the United States.
  • Isolation: F47 Core uses a multi-tenant architecture with strict tenant isolation. Each organization's data is logically separated and scoped — queries are always filtered by tenant ID at the application layer.
  • Redundancy: Databases are automatically replicated with continuous backups and point-in-time recovery capabilities.

2. Encryption

  • In transit: All data transmitted between your browser and F47 Core is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS headers and obtain certificates automatically via Vercel's managed SSL.
  • At rest: All database storage and backups are encrypted at rest using AES-256 encryption.
  • File storage: Uploaded files are stored via UploadThing with encryption at rest and served over HTTPS.

3. Authentication & Access Control

  • Authentication provider: F47 Core uses Clerk for user authentication, providing enterprise-grade identity management with support for multi-factor authentication (MFA), social sign-on, and session management.
  • Organization-based access: Users are scoped to organizations managed through Clerk. Only invited members can access an organization's data.
  • Session security: Sessions are cryptographically signed, expire automatically, and can be revoked at any time by administrators.
  • API security: All API endpoints require valid authentication tokens. Webhook endpoints are verified using HMAC signatures to prevent forgery.

4. Application Security

  • Input validation: All user inputs are validated and sanitized on both the client and server side to prevent injection attacks (SQL injection, XSS, CSRF).
  • Parameterized queries: We use Prisma ORM, which exclusively uses parameterized queries, eliminating SQL injection vulnerabilities.
  • CSRF protection: Server Actions in Next.js include built-in CSRF protection via origin checking.
  • Dependency management: Dependencies are regularly audited for known vulnerabilities using automated scanning tools.
  • Secure headers: We enforce security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

5. Payment Security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. F47 Core never stores, processes, or transmits raw credit card data. Payment forms are rendered by Stripe's secure embedded elements.

6. Shipping & Third-Party Integrations

  • EasyPost: Shipping operations use EasyPost's API with per-tenant API keys stored encrypted. Webhook payloads are verified using HMAC signatures.
  • Resend: Transactional emails are sent via Resend. Inbound email webhooks are verified using Svix signature validation.
  • AI features: When AI-powered features are enabled, contextual business data is sent to Anthropic's Claude for processing. Anthropic does not use customer data for model training. AI features are opt-in and can be disabled at any time.

7. Data Backup & Recovery

  • Continuous backups: Database backups are performed continuously with point-in-time recovery available for the trailing retention window.
  • Geographic redundancy: Backups are stored in a separate availability zone from the primary database.
  • Recovery testing: We periodically test backup restoration procedures to verify data integrity and recovery time objectives.

8. Incident Response

F47 Systems maintains an incident response plan that includes:

  • Immediate investigation and containment of any suspected breach.
  • Notification to affected customers within 72 hours of confirmed breach, consistent with applicable regulations (e.g., GDPR, state breach notification laws).
  • Post-incident review and implementation of corrective measures.

9. Employee & Organizational Security

  • Access to production systems is limited to authorized personnel on a need-to-know basis.
  • All employees with access to customer data are subject to confidentiality obligations.
  • Administrative access requires multi-factor authentication.

10. Compliance

F47 Core is designed to support compliance with common regulatory frameworks including:

  • GDPR: Data processing agreements, data export, right to erasure.
  • CCPA: Consumer data access and deletion requests.
  • SOC 2: Our key infrastructure providers (Neon, Vercel, Clerk, Stripe) maintain SOC 2 Type II certifications.

11. Responsible Disclosure

If you discover a security vulnerability in F47 Core, we encourage responsible disclosure. Please report vulnerabilities to security@f47core.com. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly. We will not take legal action against researchers who act in good faith.

12. Contact Us

For security-related questions or concerns:

F47 Systems, Inc.
123 Main Street, Suite 100
Anytown, ST 00000
United States

Email: security@f47core.com
Phone: (555) 000-0000