As a CRM provider, security is a top priority for us.

Our customers host sensitive business data on our platform, and that requires a high level of trust. This page explains the measures we take to protect your data and your privacy. It is a non-exhaustive overview — if your compliance team needs more detail or formal documentation, contact us at security@folk.app.

SOC 2 is a security framework published by the AICPA (American Institute of Certified Public Accountants); "SOC" stands for "Systems and Organization Controls." It requires an independent auditor to verify our controls across technology, organization, HR, and fraud management. folk is SOC 2 Type 1 certified and is pursuing SOC 2 Type 2. A Letter of Attestation is available to customers on request, and the full SOC 2 report can be shared under NDA.

CASA. We complete the CASA (Cloud Application Security Assessment) audit every year through Google's App Defense Alliance, which validates how we handle data accessed via third-party APIs such as Google and Microsoft.

Internal standards. As ongoing internal targets we benchmark against PCI DSS v3.2.1 Level 1 and the AWS Foundational Security Best Practices via AWS Security Hub, and we run the AWS Well-Architected Framework review twice a year.

folk is fully GDPR compliant. You have the right to access, rectify, oppose the processing of, and delete your personal data at any time, and to receive it in a structured, readable format. To exercise these rights, email privacy@folk.app.

Personal data collected in the EU or UK may be transferred to and stored in the United States, where our infrastructure is hosted. For these transfers we rely on the EU–US Data Privacy Framework, ensuring a level of protection equivalent to GDPR. The data folk can store for its members includes:

We never sell your personal data, and we never use it to train AI models. We share data only with the sub-processors required to deliver and improve the service — for example hosting, search, enrichment, billing, and customer support providers. The full, current list is published in our Privacy Policy. We use the data we collect to provide and improve the service, identify and communicate with users, process payments, and respond to valid legal processes and government requests.

When you connect an email or calendar account, folk requests the following OAuth scopes:

For connected mailboxes, folk reads and stores email message data — including message bodies — so that interactions appear alongside your contacts. This data is encrypted at rest, and all email data is deleted when you remove the source or delete the workspace. There is currently no setting to store metadata only.

Every AI feature can be turned off. Data used by our AI features is processed through OpenAI's APIs and is never used to train models. Other enrichment providers, such as Perplexity, can be disabled entirely in your settings.

Our platform is hosted on Amazon Web Services (AWS) in the North Virginia region (us-east-1). We deploy across multiple availability zones and follow AWS recommendations to ensure continuity. Only our technical team has access to the production environment. Each member authenticates with a unique login and password, with MFA enforced and password rotation every 90 days. Any third-party service we rely on is reviewed to ensure its security level meets our standards before we use it.

We work from established frameworks: the NIST Cybersecurity Framework (US) and best-practice guidance from ANSSI (France's national cybersecurity agency). We maintain a cybersecurity risk analysis with remediation actions, a documented disaster recovery plan that we test, security training material, and defined onboarding and offboarding procedures.

Rather than a traditional idle-session timeout, active sessions are revalidated every 2 minutes and remain valid for 90 days, after which re-authentication is required. We control physical access to our offices (badges, secure keys). For logical access to our tools, we apply two principles wherever supported: two-factor authentication and one account per person. HTTP access logs to the platform are archived for legal and investigation purposes and retained for more than one year.

Data is automatically deleted from our database after 90 days of user inactivity. You can close your account at any time; account deletion takes effect within 1 week, after which the data is no longer accessible in folk. Due to backup and logging configurations, personal data is fully removed from all our systems within a maximum of 30 days for backups and 90 days for logs. Email data is deleted when the source is removed or the workspace is deleted. We retain personal data only as long as legally required.

Our storage is encrypted at rest and all our data systems communicate over secure protocols. We have never been breached for data theft. If such an incident ever occurred, we have a response plan ready: identify and stop the breach (with the ability to shut the platform down within minutes if needed), assess its scope and the affected users, and communicate transparently — sharing the status, the extent, the remediation steps taken, and recommended actions. Our data-processing agreement commits us to notifying affected customers of a personal-data breach within 24 hours.

For vendor due-diligence questionnaires and procurement reviews, we can provide additional documentation and contractual commitments on request, including a Data Processing Agreement (with our sub-processor list and advance notice of changes), our SOC 2 report under NDA, the latest CASA / penetration-test summary, and details on SSO, administrator audit logs, service-level (SLA) and uptime, and data residency. To start a security review, email security@folk.app.