Built for parts.
Hardened for programs.
Mutual NDA at signup. ITAR-aware project scope. ISO 9001 supplier chain. AES-256 at rest, TLS 1.3 in transit. The security posture an aerospace buyer actually checks before a CAD file leaves their dock.
The four answers your security team asks for first.
Click any pillar for the supporting details. Long-form policy documents are available on request via the Enterprise sales packet.
Mutual NDA. By default.
Every new account starts under a mutual NDA — no separate document to chase.
- Clickwrap mutual NDA at signup; superseded by your master agreement once Enterprise contracts are signed.
- Per-project NDA escalation available for sensitive programs (supplier-side acknowledgment required before file release).
- Audit log of who viewed what, when, from where — exportable as a CSV for your own records.
ITAR-aware. US-person scope.
ITAR-tagged projects route only to vetted US-person suppliers, with sealed-by-default access.
- Project-level ITAR flag restricts supplier matching to a pre-vetted US-person panel; non-US-person team members cannot open the project files.
- No CAD egress to non-US infrastructure — file storage, transit, and processing pinned to US-only AWS regions (us-east-1 / us-east-2 / us-west-2 hot, us-east-1 cold).
- DDTC registration on file; on-request packet available for export-controlled programs through your account team.
ISO 9001 supplier chain.
Every production supplier on the platform holds an ISO 9001 (or AS9100 / IATF 16949) certification.
- Supplier onboarding gate requires current cert upload + expiry tracking; expired certs auto-disable the supplier for new RFQs.
- AS9100D for aerospace-tagged jobs, IATF 16949 for automotive-tagged jobs — same gate, additional cert requirement on top of the ISO 9001 baseline.
- Per-supplier quality history (FAI pass-rate, scrap rate, on-time delivery) visible inside your Analytics dashboard.
Encryption everywhere.
AES-256 at rest. TLS 1.3 in transit. Per-tenant KMS keys for Enterprise.
- AES-256-GCM at rest for CAD assets, derived files, quote documents, and supplier messages; per-org bucket isolation.
- TLS 1.3 enforced end-to-end (HSTS preload, no SSLv3 / TLS 1.0/1.1 fallback); HTTP/3 / QUIC where supported.
- Per-tenant KMS keys (BYOK / HYOK on request) for Enterprise tier; key rotation policies surface in the audit log.
- Annual third-party penetration test; current report available under NDA via your security contact.
The papers. Public, on-request, and in-flight.
We don’t hide behind “contact sales” for the foundational documents. Subprocessor list and incident-response playbook are public; MSA / DPA / pentest report are NDA-gated.
- Master Service Agreement (MSA)On request
Default Enterprise contract; replaces clickwrap T&Cs for org-wide deployments.
Request via security@ → - Data Processing Addendum (DPA)On request
EU-style DPA covering customer-controller, FabDigit-processor relationship for any project with EU-resident participants.
Request via security@ → - SOC 2 Type II reportIn flight
Audit by a Big-Four firm. Type I report complete; Type II in-flight (expected H1 2026).
Expected H1 2026 - Penetration test summaryOn request
Annual third-party penetration test — most recent executive summary available under mutual NDA.
Request via security@ → - Subprocessor listPublic
Current list of subprocessors (cloud infrastructure, payments, observability), with their compliance certifications.
Read the document → - Incident response playbookPublic
Public-safe summary of our incident detection, escalation, and customer-notification policy.
Read the document →
Bring your security team. We’ll bring the documents.
Our security contact replies to packet requests in one business day. Enterprise security reviews typically close in 5–10 business days.