Updated May 2026. Reading time: 7 minutes.
How FellowHire handles your data, what your fellow can and cannot see, and why our security model is built for regulated work.
Security is the first question most buyers ask before bringing an AI coworker into Slack or Teams. This page answers it. FellowHire is SOC 2 and ISO 27001 compliant. Customer data is encrypted in transit and at rest. We use no-training enterprise agreements with our model providers. Below is the detail behind those claims.
SOC 2
Compliant
ISO 27001
Compliant
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
FellowHire is SOC 2 and ISO 27001 compliant. Everything we have built — infrastructure, data handling, access controls, audit trails — is built to meet both standards.
Hosting. AWS US regions by default. EU-region support available on request.
Model providers. OpenAI and Anthropic Enterprise tier with no-training data agreements. Customer data is never used to train shared models.
Detailed compliance documentation, audit reports, and security overview are available to your team during procurement. Reach out via /demo and we will share them under NDA.
Slack. A fellow sees only the channels it is invited to and the DMs sent to its bot user. We default to channel-specific scopes, not workspace-wide.
Microsoft Teams. A fellow operates inside the tenant under Graph permissions granted by the admin. Same principle: minimum scopes for the role.
Connected tools (CRM, helpdesk, accounting, etc.). A fellow gets the integration access the customer grants. We default to read-only and write-on-approval where supported by the upstream tool.
The principle. Scope discipline matters more than any single certification. We default to the minimum scope a fellow needs to do its role and nothing more. Customers control what gets added.
A fellow receives a message or a connected-tool event in your stack.
The fellow queries a model provider (OpenAI, Anthropic, or open-source models depending on the deployment).
Outputs are returned to the fellow and surfaced in Slack/Teams or the connected tool.
We retain conversation logs and tool-action logs for the fellow's improvement (default 90 days, configurable per customer).
We do NOT use customer data to train shared models. Each fellow's training corpus is per-customer and stays per-customer.
Model providers operate under their own enterprise data terms. We use their no-training APIs by default.
Every fellow output is logged with timestamp, channel, requester, and the action taken.
Logs are accessible to your admin user via the FellowHire admin panel.
For customer-facing work, default posture is draft-with-review. The human reviewer is logged.
Auto-send categories (where the fellow sends without human review) are configured during scoping and are visible in the admin log.
Audit-trail data export is available on request.
No. Customer data is used to train YOUR fellow only. We do not aggregate customer data into shared training sets. We use no-training enterprise APIs from OpenAI and Anthropic.
Yes. Everything we have built is built to meet both standards. Detailed compliance documentation and audit reports are available to your team during procurement.
AWS US regions by default. EU-region support available on request.
Default 90 days. Configurable per customer down to 30 days. We honor data deletion requests under GDPR and CCPA principles.
Yes. We share our internal security overview document, SOC 2 audit reports, and other compliance documentation during procurement under NDA.
We have an incident-response process. We notify affected customers within 72 hours of confirmed material incidents. We publish post-mortem summaries for any incident affecting more than one customer.
Law firms, accounting firms, and other regulated industries have specific security and data-handling requirements. FellowHire's compliance posture, scoped access model, and audit trails are built to meet them.
For industry-specific detail, see /industries/law-firms, /industries/accounting-firms, and /industries/ecommerce-brands.
For specific data-residency, retention, or deployment requirements, we scope those during onboarding. Reach out via /demo.
If your team needs audit reports, a security walkthrough, or a conversation with your InfoSec team, just ask. We share everything under NDA during procurement.