Security & Infrastructure

At Furistic Inc. ("Furistic," "we," "us," or "our"), security is foundational to everything we build. Our platform serves industries where data integrity and confidentiality are critical — real estate transactions in RealtyOS and financial trading in TradeOS. This document outlines our security practices, infrastructure architecture, and compliance posture. We maintain a defense-in-depth approach, with multiple layers of security controls protecting our platform, your data, and our AI systems. Our security program is overseen by our security team, with regular third-party audits and continuous monitoring across all systems.

Furistic maintains the following compliance standards and certifications: **SOC 2 Type II** — We undergo annual SOC 2 Type II audits covering Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria. Audit reports are available to customers under NDA upon request. **PIPEDA Compliance** — As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. **PCI DSS** — Payment processing is handled through PCI DSS-compliant third-party processors. We do not store, process, or transmit cardholder data directly. **OWASP Top 10** — Our development practices incorporate protections against the OWASP Top 10 web application security risks, verified through regular penetration testing. We continuously evaluate additional certifications and frameworks as our compliance requirements evolve.

All data is protected by industry-standard encryption: **In Transit.** • TLS 1.3 for all client-server communications • Certificate pinning for mobile applications • HSTS (HTTP Strict Transport Security) enforced across all domains • Perfect forward secrecy (PFS) enabled on all endpoints **At Rest.** • AES-256 encryption for all stored data • Database-level encryption with managed key rotation • Encrypted backups with geographically separated storage • Hardware Security Modules (HSMs) for cryptographic key management **Application Layer.** • Bcrypt/Argon2 password hashing with appropriate work factors • Encrypted API tokens and secrets management via dedicated vault infrastructure • End-to-end encryption for sensitive document storage • Signed and encrypted JWT tokens for authentication

Our platform runs on a modern, cloud-native infrastructure designed for resilience and security: **Cloud Infrastructure.** Hosted on enterprise-grade cloud providers with SOC 2, ISO 27001, and ISO 27017 certifications. Infrastructure is defined and managed as code for reproducibility and auditability. **Network Security.** • Virtual private clouds (VPCs) with strict network segmentation • Web application firewalls (WAFs) protecting all public endpoints • DDoS protection and rate limiting at the edge • Private networking for internal service communication • Zero-trust network architecture with service mesh **Container & Orchestration.** • Containerized workloads running on Kubernetes • Immutable container images built from hardened base images • Runtime security monitoring and anomaly detection • Automated vulnerability scanning of container images **Availability.** • Multi-region deployment capability • Automated failover and disaster recovery procedures • Regular disaster recovery testing • RPO (Recovery Point Objective) of 1 hour, RTO (Recovery Time Objective) of 4 hours

Furistic operates multiple products (RealtyOS, TradeOS) on a shared platform. We maintain strict data isolation between products and tenants: **Product-Level Isolation.** • Separate database schemas and storage buckets per product • Independent API endpoints and authentication scopes per product • Network-level isolation between product services • Product-specific encryption keys **Tenant-Level Isolation.** • Logical data isolation between customers within each product • Row-level security policies enforced at the database layer • Tenant-scoped API authentication and authorization • Audit logging of all cross-tenant access attempts (zero tolerance) **Shared Identity Layer.** • Centralized identity and SSO managed through our dedicated identity platform • Identity data is isolated from product-specific data • Fine-grained permission scoping per product and per resource • Multi-factor authentication (MFA) available for all accounts

We enforce strict access controls across our platform and internal systems: **For Customers.** • Role-based access control (RBAC) with configurable roles and permissions • Multi-factor authentication (MFA) support, including TOTP and WebAuthn • Session management with configurable timeouts and concurrent session limits • API key management with granular scope controls • Audit logs for all access and modification events **Internal Controls.** • Principle of least privilege for all employee access • Just-in-time (JIT) access provisioning for production systems • Multi-person approval required for sensitive operations • Background checks for all employees with access to customer data • Mandatory security awareness training and annual refreshers • Quarterly access reviews and deprovisioning audits

Furistic maintains a documented incident response program: **Detection.** Automated monitoring, alerting, and anomaly detection across all systems. Security Information and Event Management (SIEM) system aggregates and correlates security events. **Response Phases.** 1. **Identification** — Classify the incident by severity and scope 2. **Containment** — Isolate affected systems to prevent further impact 3. **Eradication** — Remove the threat and patch vulnerabilities 4. **Recovery** — Restore affected systems and verify integrity 5. **Post-Incident Review** — Conduct root cause analysis and implement preventive measures **Notification.** • Critical incidents affecting customer data: notification within 72 hours • Service-impacting incidents: real-time updates via status page • Post-incident reports provided for significant events • Compliance with PIPEDA breach notification requirements **Testing.** We conduct regular tabletop exercises and simulated incident response drills to ensure team readiness.

We welcome security researchers to help us keep the Furistic platform safe. If you discover a security vulnerability, please report it responsibly. **How to Report.** • Email: security@furistic.co • Include detailed steps to reproduce the vulnerability • Provide your assessment of the potential impact • Allow reasonable time for us to investigate and remediate before public disclosure **Scope.** • All Furistic web applications and APIs (*.furistic.co) • RealtyOS and TradeOS applications • Furistic mobile applications • Authentication and identity systems **Out of Scope.** • Social engineering attacks against Furistic employees • Physical attacks against Furistic infrastructure • Denial of service (DoS/DDoS) attacks • Automated scanning without prior coordination **Our Commitment.** • Acknowledge receipt of your report within 48 hours • Provide an initial assessment within 5 business days • Keep you informed of remediation progress • Credit researchers in our security acknowledgments (with your consent) • We will not take legal action against researchers who act in good faith and comply with this program We do not currently offer monetary bounties but may do so in the future.