Your data is your business. We treat it that way.
We know sharing your business data with a software company isn't a small decision. Here's exactly what we do to keep yours safe — and yours alone.
Talk to usIn Progress
SOC 2 Type 2
Audit in progress
Active
Google Cloud
SOC 1, 2, 3 · ISO 27001 · HIPAA
Active
US-Hosted
All data in United States
How we protect your data.
The controls and practices behind every Fig account.
Encryption
Your data is encrypted both when it's sitting in our database (AES-256) and when it's moving across the internet (TLS 1.2+). The most sensitive pieces — like your integration passwords — get an extra layer of encryption on top.
Access Controls
Every account is protected by modern authentication. Multi-factor login is available, and enterprise customers can connect their own single sign-on. We can also restrict access by team or role.
Infrastructure
We run on Google Cloud, which is independently certified for SOC 1, SOC 2, ISO 27001, HIPAA, and FedRAMP. Continuous automated backups mean we can recover your data to any point in the recent past.
Monitoring
Every action in our system is logged — who did what, when, and from where.
Incident Response
In the unlikely event of a confirmed security incident, we'll let affected customers know within 72 hours — what happened, what data was involved, and what we're doing about it.
Compliance Roadmap
We've kicked off our SOC 2 Type 2 audit and a third-party penetration test. We'll post updates here as we hit milestones.
Common questions, plain answers.
If you have a question that isn't here, email founders@growfig.ai and we'll respond within one business day.
Where is my data stored?
Your data lives on Google Cloud servers in California. Google handles the physical security and uptime of the data centers. They're some of the most rigorously protected facilities in the world. Your data never leaves the United States.
Who at Fig can see my data?
Your data is yours. We don't read it, browse it, or share it. The only time someone at Fig looks at your data is if you ask us to help with something specific, and we log every such access. We can show you that log any time you want.
Can other Fig customers see my data?
No. Each company on Fig has its own private space. Nobody at another company can see your accounts, contacts, or anything else you've put in.
Do you train models on my data?
No, never. Your data belongs to you. We don't use any of it to train models, ours or anyone else's. The vendors that help us run Fig are contractually prohibited from using your data either.
What happens to my data if I cancel?
If you cancel, we delete your data. Within 30 days, or sooner if you ask.
Are you SOC 2 compliant?
We're currently going through our SOC 2 Type 2 audit. The formal document from our auditor confirming the audit is underway is available on request. Just email founders@growfig.ai.
How do you connect to my ERP, CRM, or email?
We use the official, secure connections your systems already provide: Microsoft Dynamics, Salesforce, HubSpot, Google Workspace, Microsoft 365. Your credentials are encrypted before we ever store them. You don't have to set up a VPN, change your firewall, or do any custom IT work.
For your security or compliance team
If your IT, security, or procurement team needs formal documentation, the following are available on request:
- Security questionnaire (CAIQ-Lite) — pre-filled, industry-standard cloud security assessment
- SOC 2 auditor engagement letter — formal proof of our SOC 2 Type 2 audit in progress
- SOC 2 Type 2 report — available once our audit completes
- Penetration test summary — available once complete
Email founders@growfig.ai
Last updated: May 2026