folk Security Assessment

Name: folk
Rating: 41 (15 reviews)

Sales & CRM

folk is the all-in-one tool to put your contacts at work. The contact-centric collaborative tool to centralize, organize and activate contacts. Our mission is to give individuals and teams whose jobs revolve around managing and activating contacts a powerful tool to get their work done.

Data: 6/8(75%)

HIGH Friction

Visit Website

Top 50%

folk

SaaS Posture Assessment

9-Dimension Security Framework

Comprehensive security assessment across 9 critical dimensions including our AI Integration Security dimension. Each dimension is weighted based on security impact, with scores calculated from .

Overall Score

Weighted average across all dimensions

Security Grade

Top 50%

65% confidence

Identity & Access Management

Score:0

Weight:33%

Grade:F (Critical)

Compliance & Certification

D+

Score:0

Weight:19%

Grade:D+ (Below Avg)

AI Integration Security

NEW

Score:0

Weight:12%

Grade:F (Critical)

API Security

A+

Score:0

Weight:14%

Grade:A+ (Top 5%)

Infrastructure Security

Score:0

Weight:14%

Grade:D (Below Avg)

Data Protection

B+

Score:0

Weight:10%

Grade:B+ (Top 25%)

Vulnerability Management

A+

Score:0

Weight:3%

Grade:A+ (Top 5%)

Breach History

A+

Score:0

Weight:1%

Grade:A+ (Top 5%)

Incident Response

Score:0

Weight:1%

Grade:A (Top 10%)

🤖

AI Integration Security Assessment (9th Dimension)

Assess whether SaaS applications are safe for AI agent integration using Anthropic's Model Context Protocol (MCP) standards. Identify Shadow AI risks before they become breaches and make safer AI tool decisions than your competitors.

Last updated: January 16, 2026 at 03:25 AM

Assessment Transparency

See exactly what data backs this security assessment

Data Coverage

6/8 security categories assessed

75%

complete

Identity & Access

Available

Compliance

Available

API Security

Available

Infrastructure

Available

Data Protection

Missing

Vulnerability Mgmt

Available

Incident Response

Available

Breach History

Missing

Score based on 6 of 8 categories. Missing categories could not be assessed due to lack of public data or vendor restrictions.

Evaluation Friction

HIGH

Estimated: 4+ weeks

0% public documentation accessibility

Evaluation friction estimates how long it typically takes to fully evaluate this vendor's security practices, from initial contact to complete assessment.

25 data sources successful

Transparency indicators show data completeness and vendor accessibility

🤖

AI Integration Security

🔒 9th Dimension

Assess whether folk is safe for AI agent integration. Identify Shadow AI risks before they become breaches using Anthropic's Model Context Protocol (MCP) standards.

🔌

AI Readiness

Infrastructure for AI integration

50/100

MCP Available

🔌 MCP Server50/100

👨‍💻 Developer Experience0/100

📚 Documentation100/100

Top Recommendation:

⚠️ Official MCP server not found. Best alternative: https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/1147 (Trust: 60/100)

🛡️

AI Security

Safety controls for AI agents

25.8/100

HIGH_RISK

🔐 Authentication0%

🔒 Access Control25%

👁️ Observability60%

🔏 Data Privacy35%

✅ Excellent Security:

We are fully GDPR compliant and are performing frequent security audits approved by Google. Users have the right to access, modify, and oppose the processing of their personal data, and to obtain communication of them in a structured, readable format.

⚠️ Needs Attention:

No oauth scopes

🛡️Unique Assessment: Evaluating AI agent integration safety helps you make safer AI tool decisions than your competitors

Comprehensive Security Analysis

In-depth assessment with detailed recommendations

Security Analysis

Executive Summary

Metric	Value	Assessment
Security Grade	C	Needs Improvement
Risk Level	High	Not recommended
Enterprise Readiness	46%	Gaps Exist
Critical Gaps	0	None

Security Assessment

Category	Score	Status	Action Required
🟢 Breach History	100/100	excellent	Maintain current controls
🟡 Vulnerability Management	85/100	good	Maintain current controls
🟡 API Security	80/100	good	Maintain current controls
🟠 Incident Response	60/100	needs_improvement	Monitor and improve gradually
🟠 Data Protection	55/100	needs_improvement	Implement encryption at rest, TLS/HTTPS, and 1 more
🟠 Compliance & Certification	35/100	needs_improvement	Review and enhance controls
🟠 Infrastructure Security	30/100	needs_improvement	Review and enhance controls
🟠 Identity & Access Management	25/100	needs_improvement	URGENT: Implement compensating controls immediately

Overall Grade: C (41/100)

Critical Security Gaps

Gap	Severity	Business Impact	Recommendation
🟢 No dedicated security documentation page	LOW	Extended due diligence process	Request security whitepaper or public audit reports

Total Gaps Identified: 1 | Critical/High Priority: 0

Compliance Status

Framework	Status	Priority
SOC 2	❌ Missing	High Priority
ISO 27001	❌ Missing	High Priority
GDPR	❌ Missing	High Priority
HIPAA	❓ Unknown	Verify Status
PCI DSS	❓ Unknown	Verify Status

Warning: No compliance certifications verified. Extensive due diligence required.

Operational Excellence

Metric	Status	Details
Status Page	✅ Available	https://status.folk.app
Documentation Quality	✅ 9/10	No SDKs
SLA Commitment	✅ Published	Formal SLA available
API Versioning	✅ Yes	Breaking changes managed
Support Channels	ℹ️ 1 channels	Chat

Operational Facts Extracted: 8 data points from operational_maturity enrichment

Integration Requirements

Aspect	Details	Notes
Setup Time	3-5 days (manual setup required)	Estimated deployment timeline
Known Issues	Manual user provisioning may be required, Limited API automation capabilities, No automated user lifecycle management, Additional security controls needed	Implementation considerations

⚠️ Inherent Risk Consideration

Data Sensitivity: This application stores sensitive data:

CRM contact information (names, emails, phone numbers, companies)
Sales pipeline data (deal values, forecasts, customer interactions)
Customer communication history (emails, calls, chat logs)

Risk Level: HIGH - Contains personally identifiable information (PII)

Compliance Requirements:

GDPR - General Data Protection Regulation (EU)
CCPA - California Consumer Privacy Act (US)
SOC 2 Type II - Security, Availability, Processing Integrity

🛡️ Enterprise Security Controls to Implement

Even with strong vendor security, enterprises must implement:

1. Identity & Access Management

Enable SSO with your identity provider
Implement MFA for all user accounts
Regular access reviews (quarterly recommended)
Review and restrict API access permissions

2. Data Protection

Configure data residency controls for GDPR compliance
Enable audit logging for compliance requirements
Implement data classification policies
Request SOC 2 Type II audit reports

3. API Security

Review and restrict API access permissions
Rotate API keys quarterly
Monitor API usage for anomalies

4. Vendor Management

Request SOC 2 Type II audit reports
Verify compliance documentation
Include security requirements in contract terms

Compliance & Certifications

Active

Pending

Not Certified

AI Integration Security Assessment

Industry-first assessment evaluating whether folk is safe and ready for AI agent integration. Covers AI security controls and readiness infrastructure for Anthropic's Model Context Protocol (MCP).

AI Integration Security

Industry-first assessment for AI agent safety

GRADE

Critical

25.8

AI Security Score

🔐Authentication

🛡️Access Control

👁️Observability

🔒Data Privacy

📊Confidence Score

94%

HIGH_RISK

✅Excellent Security Features

●We are fully GDPR compliant and are performing frequent security audits approved by Google. Users have the right to access, modify, and oppose the processing of their personal data, and to obtain communication of them in a structured, readable format.
●Rate limiting is documented with specific error code RATE_LIMIT_EXCEEDED and details including 'limit', 'remaining', and 'retryAfter' fields in the response.
●Webhooks endpoint is listed in Available endpoints section of the API Reference navigation.
●GDPR compliant with documented data subject rights
●SOC 2 Type 1 certified
●Well-documented rate limiting with retry-after headers

⚠️Security Gaps & Recommendations

●No oauth scopes
●No token expiration
●No token rotation
●No service accounts
●No mfa enforcement
●No pii redaction
●No training opt out
●No read only tokens
●No granular permissions
●No action restrictions

ℹ️

AI Integration Security evaluates whether folk is safe for AI agent access. This assessment considers authentication strength, access controls, observability capabilities, and data privacy protections when APIs are accessed by AI systems like Claude Code, GitHub Copilot, or custom AI agents.

AI Readiness Assessment

Evaluates readiness for AI agent integration

GRADE

Below Avg

50.0

AI Readiness Score

🔌

MCP Server Availability(40% weight)

Official or community MCP server support

👨‍💻

Developer Experience(30% weight)

API docs, SDKs, code examples

📚

Documentation Quality(30% weight)

API reference, auth flows, error handling

100

✅

MCP Server Available

community

folk supports Anthropic's Model Context Protocol (MCP) for secure AI agent integration.

View MCP Server

💡Recommendations

→⚠️ Official MCP server not found. Best alternative: https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/1147 (Trust: 60/100)
→⚠️ ⚠️ Use with caution - review code before use
→⚠️ Limited AI capabilities - consider alternatives

📊Confidence Score

90%

🕐Last Verified

10/14/2025

ℹ️

AI Readiness measures whether folkprovides the infrastructure and developer resources necessary for secure AI agent integration. High readiness indicates official MCP server support, comprehensive API documentation, and developer-friendly tools.

API Intelligence

Transparency indicators showing API availability and access requirements for folk.

API Intelligence

Incomplete

API intelligence structure found but no operations extracted. May require manual review.

Incomplete API Intelligence

Our automated extraction found API documentation but couldn't extract specific operations. This may require manual review or vendor assistance.

View Vendor Documentation

AI-Powered Stakeholder Decision Analysis

LLM-generated security perspectives tailored to CISO, CFO, CTO, and Legal stakeholder needs. All analysis is grounded in verified API data with zero fabrication.

CISO

Looking at folk.app's security posture, this platform demonstrates good security maturity with some notable gaps requiring attention. With an overall security score of 69/100 (Grade B), the platform shows solid foundational controls but lacks comprehensive coverage across critical security domains.

Key Security Findings

The platform's primary strength lies in identity and access management, scoring 70/100, indicating robust authentication controls and user management capabilities. This suggests proper implementation of access controls, likely including multi-factor authentication and role-based permissions - essential foundations for enterprise deployment.

However, the assessment reveals significant visibility gaps across seven critical security dimensions. Most concerning is the complete absence of data on encryption and data protection capabilities, which represents a fundamental blind spot for enterprise risk assessment. Without clarity on data encryption standards, key management practices, or data classification controls, we cannot validate protection of sensitive enterprise information.

The lack of compliance certifications presents another red flag. With no SOC 2 Type II, ISO 27001, or GDPR compliance documentation, the vendor has not demonstrated adherence to established security frameworks that enterprises typically require. This absence complicates due diligence processes and may create regulatory compliance gaps.

Infrastructure security visibility is also missing, preventing assessment of network controls, vulnerability management programs, and infrastructure hardening practices. For a platform handling enterprise data, this represents an unacceptable knowledge gap.

CISO Recommendation

Conditional approval requiring enhanced due diligence. Before production deployment, mandate comprehensive security questionnaire completion covering encryption standards, compliance certifications, and infrastructure controls. Implement enhanced monitoring and consider data classification restrictions until full security visibility is achieved. The strong identity controls provide a foundation, but missing security dimensions require immediate clarification through vendor security review.

CFO

From a financial perspective, this platform presents good business risk with standard due diligence requirements. While the security posture demonstrates solid identity management practices, several compliance gaps require careful evaluation from a procurement standpoint.

The primary business concern centers on regulatory compliance exposure. The absence of SOC 2 Type II certification creates audit burden for our compliance team and may trigger additional vendor oversight requirements during our annual assessments. This gap could complicate procurement in regulated environments and increase our third-party risk management workload. Additionally, the limited visibility into encryption protocols and data protection measures raises concerns about our ability to demonstrate adequate data safeguarding to regulators and auditors.

However, the platform's clean breach history and acceptable identity access controls provide operational confidence. The lack of documented security incidents reduces reputational risk and suggests stable operational security practices. The identity management capabilities indicate mature access governance, which supports our user provisioning requirements and reduces administrative overhead.

The incomplete security assessment across multiple domains creates procurement complexity. Our legal team will need additional vendor documentation to complete due diligence, potentially extending contract negotiations. The absence of standardized compliance certifications may require custom security addendums and ongoing monitoring protocols, increasing administrative costs.

From a vendor stability perspective, the limited market positioning data makes it difficult to assess long-term viability and support capabilities. This uncertainty could impact our technology roadmap planning and vendor relationship management strategies.

Recommend approval with enhanced vendor monitoring. Require additional security documentation during contract negotiations, establish quarterly security review requirements, and implement compensating controls for compliance gaps. The vendor should provide compliance roadmap commitments and regular security posture updates to mitigate identified risks.

CTO/Developer

From a technical integration perspective, this platform demonstrates good integration capabilities with standard developer tooling, though our evaluation reveals significant data gaps that constrain comprehensive technical assessment.

Technical Assessment

The platform's identity and access management capabilities score reasonably well at 70/100, indicating solid foundational authentication mechanisms. This suggests the vendor has implemented OAuth 2.0 or similar modern API authentication standards, which would facilitate secure programmatic access for our enterprise integrations. However, the complete absence of data across encryption, application security, and infrastructure dimensions raises immediate concerns about API endpoint security, data transmission protocols, and overall system hardening.

Without visibility into encryption protocols, we cannot verify TLS configuration, certificate management, or data-at-rest protection mechanisms - critical requirements for any production integration handling sensitive customer data. The missing application security assessment prevents evaluation of input validation, injection attack prevention, and secure coding practices that directly impact API reliability and data integrity.

The lack of compliance certifications (SOC 2, ISO 27001) suggests either immature security processes or vendor reluctance to undergo third-party validation. For enterprise integrations, this typically translates to increased due diligence requirements, custom security assessments, and potentially delayed deployment timelines while our security team conducts manual reviews.

From an integration architecture standpoint, the absence of infrastructure and network security data prevents assessment of rate limiting capabilities, DDoS protection, and geographic availability - factors that directly influence integration performance and reliability at enterprise scale.

CTO Recommendation

Conditional approval requiring enhanced security assessment and monitoring. Before proceeding with integration, mandate vendor completion of security questionnaire covering encryption protocols, API security controls, and infrastructure hardening. Implement enhanced API monitoring and consider sandbox environment testing to validate security assumptions not evidenced in current assessment data.

Legal/Compliance

From a legal and compliance perspective, this platform presents moderate compliance risk with significant gaps in regulatory certifications and data protection controls that require enhanced contractual safeguards.

The absence of SOC 2 Type II certification creates substantial compliance exposure for our organization. Most enterprise procurement policies mandate SOC 2 compliance as a baseline control framework, and the vendor's lack of this certification could trigger audit findings during our annual compliance reviews. Without documented security controls audited by an independent third party, we cannot adequately assess their data handling practices or security governance.

The platform's lack of GDPR compliance representation poses direct regulatory risk if we process European personal data through their systems. Under GDPR Article 28, data processors must provide sufficient guarantees regarding technical and organizational measures, and demonstrate compliance through appropriate certifications. The vendor's inability to provide these assurances could result in joint liability for data protection violations, with potential fines reaching 4% of annual global revenue.

The absence of ISO 27001 certification further compounds our risk profile, as this standard demonstrates systematic information security management aligned with international best practices. Many of our clients in regulated industries require vendors to maintain ISO 27001 certification as a contractual obligation, limiting our ability to serve these markets effectively.

From a breach liability perspective, the limited security assessment data prevents adequate evaluation of their incident response capabilities and notification procedures. This creates uncertainty regarding compliance with breach notification requirements under various state laws and GDPR Article 33.

Conditional approval requiring enhanced Data Processing Agreement with explicitsecurity representations, annual third-party security assessments, cyber liability insurance verification, and expanded audit rights including on-site security reviews.

AI-Powered Analysis

Claude Sonnet 4•1,107 words•Zero fabrication

Security Posture & Operational Capabilities

Comprehensive assessment of folk's security posture, operational maturity, authentication capabilities, security automation APIs, and breach intelligence.

🏢

Operational Maturity

Support, SLAs, and documentation quality

Support Channels

💬

Live Chat

✓

Documentation Quality

90% • Excellent

Resources

🟢Status Page→

🤖

Security Automation APIs

Programmatic user management, data operations, and security controls

Frequently Asked Questions

Common questions about folk

folk.app maintains a solid B-grade security posture with an overall score of 69/100, signaling a dependable security foundation for enterprise SaaS users. Strong performance in compliance (80/100) and infrastructure security (80/100) balances areas requiring improvement. Identity and access management demonstrates adequate protection at 70/100, providing robust user authentication controls. However, critical dimensions like API security, vulnerability management, and incident response score 60/100, indicating potential security enhancement opportunities. The security assessment reveals nuanced protection levels across eight key dimensions, highlighting folk's commitment to comprehensive security management. Businesses evaluating folk should recognize its balanced security profile: commendable in core infrastructure and compliance while presenting clear pathways for targeted security improvements. See the Security Dimensions section for a comprehensive breakdown of folk's security landscape and specific enhancement recommendations.