Certifications and Trust Center
Factory maintains an enterprise‑grade security and compliance program, including:- SOC 2
- ISO 27001
- ISO 42001
Audit trails and events
There are two complementary sources of audit information:- Factory‑side audit logs (for cloud‑managed features).
- Customer‑side OTEL telemetry emitted by Droid.
Factory‑side audit logs (cloud‑managed)
When you use Factory’s hosted services, the control plane records key events such as:- Authentication events and SSO/SCIM changes.
- Org and project configuration updates.
- Policy changes (model allow/deny lists, autonomy limits, Droid Shield settings, hooks configuration).
- Administrative actions in the web UI.
Customer‑side OTEL telemetry
Droid emits OTEL metrics, traces, and logs that can serve as fine‑grained audit data inside your own systems, including:- Session start and end events, tagged with user, team, environment, and project information.
- Tool usage events (which tools were invoked, how long they ran, and whether they succeeded).
- Command execution metadata, including risk classification and outcome.
- Code modification events (which files and repositories were changed).
OpenTelemetry schema and collectors
Factory’s OTEL support is designed to integrate with existing observability tooling. At a high level, telemetry includes:- Resource attributes – describing the environment, service, org, team, and user.
- Metrics – counters and histograms for sessions, LLM usage, tools, and errors.
- Traces and spans – describing the lifecycle of sessions and automated runs.
- Logs – structured events for key actions and errors.
- Receive OTLP data from Droid.
- Enrich or redact attributes based on your own policies.
- Forward telemetry to multiple destinations (for example, Prometheus + Loki, Datadog, Splunk, or S3).
Regulatory and industry use cases
Factory is designed to support organizations operating under strict regulatory regimes. While implementation details differ, common patterns include:Financial services
Financial services
- Use hybrid or airgapped deployments for systems subject to strict data residency and record‑keeping requirements.
- Route all LLM traffic through gateways that implement your bank’s data policies.
- Use OTEL telemetry and hooks to ensure Droid activity is visible in your SIEM and aligned with your control framework.
Healthcare and PHI
Healthcare and PHI
- Deploy Droid in environments that never expose protected health information to external LLMs.
- Use model allowlists that include only providers and gateways that meet your PHI handling requirements.
- Use Droid Shield and DLP hooks to prevent PHI from being included in prompts or logs.
National security and defense
National security and defense
- Rely on fully airgapped deployments with on‑prem models and collectors.
- Treat Droid as an internal tool whose artifacts and logs never leave your network.
- Use OTEL and hooks to integrate with mission‑specific monitoring and incident response tooling.
Deployment and configuration for compliance teams
To integrate Droid into your compliance and monitoring stack:- Decide on deployment pattern – cloud‑managed, hybrid, or fully airgapped.
- Define model and gateway policies – which providers and gateways are allowed, and where.
- Configure OTEL collectors and destinations – ensure all Droid telemetry flows into your SIEM and observability tools.
- Set up hooks and Droid Shield – enforce DLP, approval workflows, and environment‑specific controls.
- Document policies and mappings – connect Droid controls to your internal control framework and regulatory obligations.