Privacy Policy

Effective Date: Jan 01, 2026

Fourthlock LLC ("Foundation4," "we," "us," or "our") operates the foundation4.ai platform — secure knowledge infrastructure for enterprise AI. This Privacy Policy explains how we collect, use, and protect information when you visit our website at foundation4.ai, interact with our sales and support teams, or deploy Foundation4 software.

Foundation4 is built on a core principle: your data is yours. Our platform is designed so that the entire knowledge pipeline — embedding, storage, retrieval, and generation — runs inside your infrastructure. This Privacy Policy reflects that architecture and explains how our data practices differ depending on how you interact with us.

1. Scope and Applicability

This policy covers three distinct contexts:

  • The Foundation4 Website (foundation4.ai) — when you browse our site, read our blog, request pricing, or contact us.
  • Cloud-Hosted Pilot Deployments — when you evaluate Foundation4 on a Foundation4-managed cloud instance during a Pilot plan trial.
  • On-Premises Deployments (Utility and Enterprise plans) — when Foundation4 software runs entirely on your infrastructure.

Each context involves different data flows and different levels of Foundation4 access. We address each separately below.

2. On-Premises Deployments: Foundation4 Has No Access to Your Data

For customers running Foundation4 on their own infrastructure under our Utility or Enterprise plans, the following applies without exception:

Foundation4 does not have access to your data. When Foundation4 is deployed on-premises, every component of the platform — the API server, document processing workers, embedding models, vector storage (PostgreSQL with pgvector), message queuing (NATS), caching (Redis), and monitoring (Prometheus) — runs within your environment, under your control, inside your network boundary.

This means:

  • Your documents, embeddings, metadata, queries, and AI-generated responses never leave your infrastructure. Foundation4 cannot see, access, search, retrieve, or read any content you process through the platform.
  • Your API keys, user credentials, and access control configurations are stored entirely within your deployment. Foundation4 personnel cannot view or manage your authentication systems.
  • No telemetry, usage data, or system metrics are transmitted to Foundation4 from on-premises deployments, unless you explicitly opt in to a support arrangement that requires it.
  • Air-gapped deployments (Enterprise plan) operate with zero external network dependencies. No outbound connections, no registry calls, no data transmission of any kind.

The only information Foundation4 receives in connection with on-premises deployments is:

  • License validation data: A cryptographic system identifier used to verify your deployment license. This identifier does not contain or encode any customer data, document content, or usage information.
  • Support interactions: If you contact our support team, any information you voluntarily provide (logs, configuration details, error messages) during the course of a support request.

Foundation4 does not use customer data to train, improve, or develop our products or services. This commitment applies to all deployment models.

3. Cloud-Hosted Pilot Deployments: How We Handle Your Data

The Pilot plan offers a cloud-hosted evaluation instance managed by Foundation4. During a cloud-hosted Pilot, Foundation4 operates the infrastructure on which your trial instance runs. This means we have the technical ability to access the underlying systems, though our policy and practice is to not do so.

3.1 What We Commit To

  • We do not access, view, or analyze your documents, embeddings, queries, or AI-generated responses. Your evaluation data is treated as confidential even in a cloud-hosted environment.
  • We do not use Pilot data to train, improve, or benchmark Foundation4 or any other product.
  • We do not share Pilot data with any third party for any purpose.
  • Access to cloud infrastructure hosting Pilot instances is restricted to a limited number of Foundation4 operations personnel, and only for the purposes of maintaining system availability, applying security patches, and resolving technical issues.

3.2 What We Collect During Cloud-Hosted Pilots

For cloud-hosted Pilot instances, Foundation4 collects the following operational data to maintain and secure the service:

  • System health metrics: CPU, memory, disk, and network utilization of the hosted instance.
  • Service availability data: Uptime, error rates, and API response latency (aggregate, not per-query content).
  • Authentication events: API key creation, login attempts, and permission changes (event metadata only, not the content of requests).
  • Resource usage: Number of documents ingested, number of queries executed, storage consumed (counts and volumes, not content).

This operational data is used solely to ensure service reliability during your evaluation period and to understand aggregate platform usage patterns. It is not linked to the content of your documents or queries.

3.3 Data Retention for Cloud-Hosted Pilots

  • Your evaluation data (documents, embeddings, metadata, agent configurations) is retained for the duration of your Pilot period and for up to 30 days after the Pilot concludes or expires, after which it is permanently deleted from our infrastructure.
  • If you transition to a paid on-premises plan, we will work with you to export your Pilot data to your infrastructure before deletion, if requested.
  • Operational metrics collected during the Pilot are retained in aggregate, anonymized form for up to 90 days after Pilot conclusion, then deleted.

3.4 Infrastructure and Security

Cloud-hosted Pilot instances are deployed with the following protections:

  • Encryption at rest: All data stored on Pilot infrastructure is encrypted using AES-256.
  • Encryption in transit: All communications between your applications and the Pilot instance are encrypted with TLS 1.2 or higher.
  • Instance isolation: Each Pilot instance runs in an isolated environment. Your data is not commingled with other customers' data.
  • Access controls: Infrastructure access requires multi-factor authentication and is logged.

4. The Foundation4 Website

When you visit foundation4.ai, we collect information to operate the website and communicate with prospective and current customers.

4.1 Information You Provide

  • Pricing requests and contact forms: When you request pricing or contact us, we collect your name, email address, organization name, and any details you include in your message. We use this information to respond to your inquiry and, with your consent, to follow up about Foundation4 products and services.
  • Blog subscriptions and newsletter signups: If you subscribe to updates, we collect your email address to send you content about Foundation4 and the enterprise AI space. You can unsubscribe at any time.
  • Support requests: If you contact us for technical support, we collect the information you provide to resolve your issue.

4.2 Information Collected Automatically

When you visit our website, we may automatically collect:

  • Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps.
  • Cookies and similar technologies: We use cookies to understand site usage and improve the browsing experience. See Section 9 (Cookies) below for details.
  • Analytics data: We use privacy-respecting analytics to understand how visitors interact with our site in aggregate. We do not build individual behavioral profiles for advertising purposes.

4.3 How We Use Website Data

We use information collected through the website to:

  • Respond to pricing requests and inquiries.
  • Send product updates and content you've opted into.
  • Improve the website and understand visitor interests in aggregate.
  • Comply with legal obligations.

We do not sell, rent, or trade your personal information to third parties. We do not use your information for targeted advertising.

5. Third-Party Services and Sub-Processors

5.1 Website Sub-Processors

Foundation4 uses a limited number of third-party services to operate the website and business functions:

  • Website hosting and infrastructure (e.g., cloud hosting provider for foundation4.ai)
  • Email delivery (for transactional emails and newsletter distribution)
  • Analytics (privacy-respecting, aggregate website analytics)
  • CRM and sales tools (to manage customer relationships and inquiries)

These providers process data only as necessary to provide their services to Foundation4 and are bound by data processing agreements.

5.2 On-Premises Deployments

For on-premises deployments, Foundation4 uses no sub-processors in connection with your data, because Foundation4 does not have access to your data. The platform runs entirely within your infrastructure.

5.3 Cloud-Hosted Pilots

Cloud-hosted Pilot instances run on infrastructure provided by our cloud hosting partner(s). These partners provide the compute and storage layer but do not have application-level access to your evaluation data. A current list of infrastructure sub-processors for cloud-hosted Pilots is available upon request.

5.4 External AI Services

Foundation4 is LLM-agnostic. The platform supports connections to any OpenAI-compatible endpoint — including local models running on your hardware. Foundation4 does not route your data through any Foundation4-operated AI model or third-party AI service. The choice of language model and embedding model is entirely yours, and data flows to those models are configured and controlled by you within your deployment. Foundation4 has no visibility into which models you connect or the data exchanged with them.

6. Data Security

Foundation4 maintains organizational and technical measures to protect the information we handle:

  • Access controls: Internal access to systems that may contain customer or prospect data is restricted on a need-to-know basis, protected by multi-factor authentication, and logged.
  • Encryption: Data in transit is protected with TLS 1.2+. Data at rest on Foundation4-managed systems is encrypted with AES-256.
  • Employee training: Foundation4 personnel receive training on data handling, security practices, and privacy obligations.
  • Incident response: We maintain an incident response plan and will notify affected customers of security incidents in accordance with applicable law and contractual commitments.

For on-premises deployments, security of the platform infrastructure is your responsibility. Foundation4 provides deployment documentation, security best practices, and support to help you maintain a strong security posture, but we do not manage or monitor your infrastructure unless explicitly engaged to do so.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate personal information.
  • Deletion: Request that we delete your personal information, subject to legal retention requirements.
  • Portability: Request your personal information in a structured, machine-readable format.
  • Objection: Object to processing of your personal information for certain purposes.
  • Restriction: Request that we restrict processing of your personal information under certain circumstances.
  • Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law (typically 30 days).

Note for on-premises customers: Because Foundation4 does not have access to data processed within your on-premises deployment, we cannot fulfill data subject requests related to that data. You are the data controller for all data processed within your Foundation4 deployment, and you are responsible for responding to data subject requests from individuals whose data you process using the platform.

8. Data Processing Roles

  • On-premises deployments: You are the data controller for all data processed within your Foundation4 instance. Foundation4 is not a data processor for this data because we do not have access to it.
  • Cloud-hosted Pilots: You are the data controller. Foundation4 acts as a data processor, processing evaluation data on your behalf solely to provide the Pilot service. Processing is governed by our Data Processing Agreement (DPA), available upon request.
  • Website visitors and contacts: Foundation4 is the data controller for personal information collected through the website and business interactions.

For customers subject to GDPR, we offer a Data Processing Agreement that includes Standard Contractual Clauses for international data transfers where applicable.

9. Cookies

Foundation4.ai uses cookies and similar technologies on our website. We categorize cookies as follows:

  • Strictly necessary cookies: Required for website functionality (e.g., session management). These cannot be disabled.
  • Analytics cookies: Help us understand how visitors use the site in aggregate. These are only set with your consent.
  • Preference cookies: Remember your settings and choices. These are only set with your consent.

We do not use advertising or tracking cookies. We do not participate in cross-site tracking networks.

You can manage cookie preferences through your browser settings or through any cookie consent mechanism on our website.

10. International Data Transfers

Foundation4 is based in the United States. If you are located outside the United States and provide us with personal information (for example, through a website form or cloud-hosted Pilot), your information may be transferred to and processed in the United States.

We rely on the following mechanisms for international data transfers:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Any other transfer mechanisms recognized under applicable data protection law.

For on-premises deployments, your data does not leave your infrastructure and is not transferred to Foundation4 or any other jurisdiction.

11. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy:

Data Category Retention Period Pricing requests and contact form submissions Until inquiry is resolved, plus up to 24 months for follow-up Email newsletter subscriptions Until you unsubscribe Website analytics data 26 months (aggregated) Cloud-hosted Pilot evaluation data Duration of Pilot plus 30 days Cloud-hosted Pilot operational metrics 90 days after Pilot conclusion (anonymized) License validation records Duration of active license Support interaction records 24 months after resolution

For on-premises deployments, data retention within your Foundation4 instance is entirely under your control. Foundation4 provides document versioning, configurable data expiry policies (Enterprise plan), and deletion capabilities to support your retention requirements. Data expiry policies allow Enterprise administrators to define automatic deletion schedules for documents based on metadata, classification, or age. When a document expires, all associated embeddings, versions, and index entries are permanently removed from the deployment.

12. Children's Privacy

Foundation4 is an enterprise software platform. Our products and services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, products, or legal requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy.
  • Post the revised policy on foundation4.ai.
  • For active customers, provide notice through email or our customer communication channels.

We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this Privacy Policy, your personal information, or Foundation4's data practices, contact us at:

Fourthlock LLC
Email: [email protected]
Website: https://foundation4.ai

For data protection inquiries under GDPR, you may also contact our designated data protection contact at the email address above.

15. Regulatory Compliance

Foundation4 is designed to operate within regulated environments. Our platform architecture supports compliance with a range of regulatory frameworks, including:

  • GDPR (General Data Protection Regulation) — On-premises deployments ensure that personal data processed through Foundation4 never leaves the data controller's infrastructure. For cloud-hosted Pilots, we offer a DPA with Standard Contractual Clauses.
  • HIPAA (Health Insurance Portability and Accountability Act) — On-premises deployment eliminates the need for a Business Associate Agreement with Foundation4, as we never access protected health information. Organizations deploying Foundation4 on-premises maintain full control over PHI within their own HIPAA-compliant environment.
  • ITAR (International Traffic in Arms Regulations) — Air-gapped Enterprise deployments ensure that controlled technical data is never transmitted outside the organization's infrastructure. No Foundation4-operated service receives or processes ITAR-controlled information.
  • FedRAMP / CJIS / CMMC — On-premises and air-gapped deployments operate within the customer's authorized boundary. Foundation4 does not introduce external data flows that would expand the authorization scope.
  • SOX and PCI-DSS — For financial services organizations, on-premises deployment keeps sensitive data within auditable infrastructure under the organization's direct control.

Foundation4's compliance posture is a direct consequence of its architecture: if your data never leaves your infrastructure, the regulatory surface area attributable to Foundation4 as a vendor is minimal.

This Privacy Policy applies to Fourthlock LLC and the foundation4.ai platform.