Built for parts.
Hardened for programs.
Mutual NDA at signup. ITAR-aware project scope. ISO 9001 supplier chain. AES-256 at rest, TLS 1.3 in transit. The security posture an aerospace buyer actually checks before a CAD file leaves their dock.
The four answers your security team asks for first.
Click any pillar for the supporting details. Long-form policy documents are available on request via the Enterprise sales packet.
Mutual NDA. By default.
Every new account starts under a mutual NDA — no separate document to chase.
- Clickwrap mutual NDA at signup; superseded by your master agreement once Enterprise contracts are signed.
- Per-project NDA escalation available for sensitive programs (supplier-side acknowledgment required before file release).
- Audit log of who viewed what, when, from where — exportable as a CSV for your own records.
ITAR-aware. US-person scope.
ITAR-tagged projects route only to vetted US-person suppliers, with sealed-by-default access.
- Project-level ITAR flag restricts supplier matching to a pre-vetted US-person panel; non-US-person team members cannot open the project files.
- No CAD egress to non-US infrastructure — file storage, transit, and processing pinned to US-only AWS regions (us-east-1 / us-east-2 / us-west-2 hot, us-east-1 cold).
- DDTC registration on file; on-request packet available for export-controlled programs through your account team.
ISO 9001 supplier chain.
Every production supplier on the platform holds an ISO 9001 (or AS9100 / IATF 16949) certification.
- Supplier onboarding gate requires current cert upload + expiry tracking; expired certs auto-disable the supplier for new RFQs.
- AS9100D for aerospace-tagged jobs, IATF 16949 for automotive-tagged jobs — same gate, additional cert requirement on top of the ISO 9001 baseline.
- Per-supplier quality history (FAI pass-rate, scrap rate, on-time delivery) visible inside your Analytics dashboard.
Encryption everywhere.
AES-256 at rest. TLS 1.3 in transit. Per-tenant KMS keys for Enterprise.
- AES-256-GCM at rest for CAD assets, derived files, quote documents, and supplier messages; per-org bucket isolation.
- TLS 1.3 enforced end-to-end (HSTS preload, no SSLv3 / TLS 1.0/1.1 fallback); HTTP/3 / QUIC where supported.
- Per-tenant KMS keys (BYOK / HYOK on request) for Enterprise tier; key rotation policies surface in the audit log.
- Annual third-party penetration test; current report available under NDA via your security contact.
The papers. Public, on-request, and in-flight.
We don’t hide behind “contact sales” for the foundational documents. Subprocessor list and incident-response playbook are public; MSA / DPA / pentest report are NDA-gated.
- Master Service Agreement (MSA)On request
Default Enterprise contract; replaces clickwrap T&Cs for org-wide deployments.
Request via security@ - Data Processing Addendum (DPA)On request
EU-style DPA covering customer-controller, FabDigit-processor relationship for any project with EU-resident participants.
Request via security@ - SOC 2 Type II reportIn flight
Audit by a Big-Four firm. Type I report complete; Type II in-flight (expected H1 2026).
Expected H1 2026 - Penetration test summaryOn request
Annual third-party penetration test — most recent executive summary available under mutual NDA.
Request via security@ - Subprocessor listPublic
Current list of subprocessors (cloud infrastructure, payments, observability), with their compliance certifications.
Read the document - Incident response playbookPublic
Public-safe summary of our incident detection, escalation, and customer-notification policy.
Read the document
Bring your security team. We’ll bring the documents.
Our security contact replies to packet requests in one business day. Enterprise security reviews typically close in 5–10 business days.
