Zero-Data Architecture
Fctr Identity Portal is designed to avoid storing raw end-user identity data or credentials at rest. Identity data is retrieved in real time from your Identity Provider (Okta or Entra ID), processed in-memory for verification, and discarded at session end. Fctr retains only limited operational records: runtime logs for approximately 1 day, masked audit and request metadata for approximately 30 days, and hashed billing identifiers for approximately 3 years.
Compliance & Infrastructure
Compliance Posture
NIST 800-63B AAL2
Enforced
SOC 2 Controls
Aligned
GDPR
DPA Available
CCPA
Privacy Controls
Infrastructure Sub-processors
Google Cloud Platform
SOC 2 Type II
Cloudflare
SOC 2 Type II
Security Controls & Enforcement
Continuously EnforcedData Security
Zero-Data Architecture — No Raw Identity Data at Rest
PII Shielding at Application Layer
In-Memory Processing Only
Audit & Logging
Structured, PII-Masked Audit Logs
Managed Google Cloud Logging & Storage
Tiered retention: 1-day runtime logs, 30-day masked audit metadata, 3-year hashed billing metrics
Authentication & Access
NIST 800-63B AAL2 Enforcement
SAML 2.0 / OIDC Single Sign-On
Time-Limited MFA Verification Sessions
Granular RBAC Permission Tiers
Least-Privilege API Token Scopes
Network & Vulnerability Defenses
Cloudflare Edge / DDoS Protection
Rate Limiting on All Endpoints
HSTS, CSP, X-Frame-Options Headers
SAST & SCA (CodeQL, Snyk, Dependabot)
SBOM Generation via Dependency Graph
Integrations
Okta Integration Network
Listed & verified integration
Microsoft Entra ID
Supported — Graph API & MSAL
SAML 2.0 / OIDC
Supported — enterprise SSO