Security & Compliance

1. Our Approach

Security is foundational to everything FutureState builds. Our platform manages campus credentials, access events, and stored-value transactions, so protecting the confidentiality, integrity, and availability of that data is core to our product and our business. We apply defense-in-depth principles across our infrastructure, application, and operational practices, and we continually review and improve our security posture.

2. Infrastructure Security

The FutureState platform is hosted on Microsoft Azure, leveraging its enterprise-grade physical security, network controls, and regional availability. Our infrastructure practices include:

• Multi-tenant architecture with logical data isolation between institutional clients
• Network segmentation and firewall controls limiting exposure of internal systems
• Hosting within U.S.-based Azure regions, with high-availability configurations
• Infrastructure managed as code with reviewed, auditable change processes

3. Data Protection

We protect data both in transit and at rest:

• Encryption of data in transit using TLS 1.3
• Encryption of data at rest using industry-standard algorithms
• Secrets, keys, and integration tokens stored in managed, access-controlled vaults
• Data retention and deletion practices aligned with our client agreements and Privacy Policy

FutureState does not collect or store full payment card numbers, Social Security numbers, or biometric data as part of its standard Services.

4. Access Control

Access to systems and data is governed by the principle of least privilege:

• Role-based access controls limiting data access to authorized personnel with a legitimate need
• Single sign-on and multi-factor authentication for internal systems
• Authentication built on OIDC/SAML with token-based session management for the platform
• Access reviews and prompt deprovisioning when roles change

5. Monitoring & Incident Response

We maintain continuous visibility into the health and security of our platform:

• Continuous monitoring and alerting, including through our own CardPulse tooling
• Centralized logging of system, access, and integration activity
• Documented incident response procedures, including notification obligations to affected institutions
• Regular vulnerability assessments and security review processes

In the event of a security incident affecting personal data, FutureState will notify affected institutions in accordance with applicable law and our contractual commitments.

6. Privacy & Compliance

FutureState processes personal data on behalf of institutions acting as data controllers, and supports their compliance obligations. Where applicable to U.S. higher education clients, FutureState acts as a “school official” with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA), and processes education records only as directed by the institution.

For details on how we handle personal information, see our Privacy Policy. Formal compliance certifications and reports will be made available through our forthcoming Trust Center; contact us in the meantime to request current documentation.

7. Vulnerability Reporting

We welcome reports from security researchers and partners. If you believe you have found a security vulnerability in a FutureState product or service, please report it responsibly to security@futurestate.cloud. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that testing avoids privacy violations, data destruction, or service disruption.

8. Contact

For security questions, documentation requests, or to begin a security review, please contact us:

This page provides a general overview of our security practices and will be expanded as our Trust Center launches. It does not form part of any contract or warranty.