> ## Documentation Index > Fetch the complete documentation index at: https://docs.factory.ai/llms.txt > Use this file to discover all available pages before exploring further. # Security > How Factory CLI keeps your code and data secure with built-in protections and best practices. ## Security-First Design Factory CLI (Droid) is built with security at its core. Your code stays secure through encrypted authentication, strict permissions, and enterprise-grade protections. *** ## Key Security Features OAuth login with encrypted token storage. Tokens auto-rotate every 30 days and are stored with OS-level file permissions. All risky operations require explicit approval. Configure tool permissions from allow/ask/reject per your security needs. All data encrypted in transit (TLS 1.3) and at rest (AES-256 with AWS KMS). Factory never trains on your code. Shell commands and file edits run locally. Only necessary context and diffs are sent to Factory's secure cloud. *** ## Security Best Practices Always review suggested code and commands before approval. You control what Droid can access and execute. ### Essential Security Guidelines **Always verify proposed commands and file changes**, especially: * Commands that install packages or modify system files * Operations involving sensitive data or credentials * Network requests to external services * File operations outside your project directory **Run Droid in containers or VMs** when working with: * Untrusted code repositories * External APIs or web services * Experimental or potentially risky operations * Shared development environments **Configure tool permissions** to match your security requirements: * Set high-risk commands to "reject" by default * Use "ask" for medium-risk operations requiring oversight * Only "allow" low-risk commands you trust completely * Review permissions regularly with the Settings menu **Never include secrets in prompts:** * Use environment variables for API keys and tokens * Store credentials in secure credential managers * Exclude sensitive files from Droid's working directory * Use the FACTORY\_TOKEN environment variable for CI/CD *** ## Built-in Protections Factory CLI includes multiple layers of security: * **Write access restriction**: Can only modify files in the project directory and subdirectories * **Command approval**: Risky operations require explicit user confirmation * **Prompt injection detection**: Analyzes requests for potentially harmful instructions * **Network request controls**: Web-fetching tools require approval by default * **Input sanitization**: Prevents command injection attacks * **Session isolation**: Each conversation maintains separate, secure context *** ## Enterprise Security SAML 2.0 / OIDC single sign-on with SCIM provisioning and role-based access controls. Zero data retention mode, customer-managed encryption keys (BYOK), and private cloud deployments. SOC 2 Type II certified, GDPR compliant, with regular penetration testing and supply chain security. Complete session logging, OpenTelemetry metrics, and enterprise-managed security policies. *** ## Need Help? Email our security team: **[security@factory.ai](mailto:security@factory.ai)** Visit **[trust.factory.ai](https://trust.factory.ai)** for compliance documents, certifications, and security resources. Report security vulnerabilities through our responsible disclosure program. Contact [security@factory.ai](mailto:security@factory.ai) for details.