Zero Data Retention
Fireworks does not log or store prompt or generation data for open models, without explicit user opt-in. See our Zero Data Retention Policy.Secure Data Handling
Data Ownership & Control: Customers maintain ownership of their data. Customer data stored as part of an active workflow can be permanently deleted with auditable confirmation, and secure wipe processes ensure deleted assets cannot be reconstructed. Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Bring Your Own Bucket: Customers may integrate their own cloud storage to retain governance and apply their own compliance frameworks.- Datasets: GCS Bucket Integration (AWS S3 coming soon)
- Models: External AWS S3 Bucket Integration
- (Coming soon) Encryption Keys: Customers may choose to use their own encryption keys and policies for end-to-end control.
Workload Isolation
Dedicated workloads run in logically isolated environments, preventing cross-customer access or data leakage.Secure Training
Fireworks enables secure model training, including fine-tuning and reinforcement learning, while maintaining customer control over sensitive components and data. This approach builds on our Zero Data Retention policy to ensure sensitive training data never persists on our platform. Customer-Controlled Architecture: For advanced training workflows like reinforcement learning, critical components remain under customer control:- Reward models and reward functions are kept proprietary and not shared
- Rollout servers and training metrics are built and managed by customers
- Model checkpoints are managed through secure cloud storage registries
For detailed guidance on secure reinforcement fine-tuning and using your own cloud storage, see Secure Fine Tuning.
Technical Safeguards
- Device Trust: Only approved, secured devices with strong authentication can access sensitive Fireworks systems.
- Identity & Access Management: Fine-grained access controls are enforced across all Fireworks environments, following the principle of least privilege.
- Network Security
- Private network isolation for customer workloads.
- Firewalls and security groups prevent unauthorized inbound/outbound traffic.
- DDoS protection is in place across core services.
- Monitoring & Detection: Real-time monitoring and anomaly detection systems alert on suspicious activity
- Vulnerability Management: Continuous scanning and patching processes keep infrastructure up to date against known threats.
Operational Security
- Security Reviews & Testing: Regular penetration testing validates controls.
- Incident Response: A formal incident response plan ensures swift containment, customer notification, and remediation if an issue arises.
- Employee Access: Only a minimal subset of Fireworks personnel have access to production systems, and all access is logged and periodically reviewed.
- Third-Party Risk Management: Vendors and subprocessors undergo rigorous due diligence and contractual security obligations.
Compliance & Certifications
Fireworks aligns with leading industry standards to support customer compliance obligations:- SOC 2 Type II (certified)
- ISO 27001 / ISO 27701 / ISO 42001 (in progress)
- HIPAA Support: Firework is HIPAA compliant and supports healthcare and life sciences organizations in leveraging our rapid inference capabilities with confidence.
- Regulatory Alignment: Controls are mapped to GDPR, CCPA, and other international data protection frameworks
Documentation and audit reports are available in our Trust Center.