ForgeBack to Forge

Security at Forge

Ownership data is among the most sensitive information a founder holds. We built Forge with security as a first-class constraint, not an afterthought.

Last reviewed: June 13, 2026

Draft pending review by outside counsel. Do not rely on this page as legal advice until this notice is removed.

Encryption at Rest and in Transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. No exceptions.

Row-Level Security (RLS)

PostgreSQL RLS policies enforce access controls at the database layer, not just the application layer.

Per-Organization Data Isolation

Database-level row-level security scopes every query to your organization. No co-mingling across accounts.

Append-Only Ownership Ledger

Ownership events are recorded as an immutable, append-only ledger with timestamps and user attribution.

Document Storage

Uploaded documents are stored in access-controlled storage scoped to your organization.

Identity & Access Management

JWT-based authentication with secure session management. No passwords stored in plain text.

Infrastructure

Forge runs on managed cloud infrastructure (Cloudflare Workers and Supabase/Postgres). Our database provider performs automated backups with point-in-time recovery and replication.

  • TLS 1.3 in transit, AES-256 encryption at rest
  • Automated daily backups with point-in-time recovery
  • Security response headers (CSP, HSTS, frame-ancestors deny) on every request
  • Per-tenant rate limiting on AI and write-heavy endpoints

Compliance Roadmap

Forge is in private beta. We have not yet completed formal third-party compliance certifications. Our roadmap includes:

  • SOC 2 Type II audit (planned)
  • GDPR/CCPA data-subject request tooling (planned)
  • Independent third-party penetration testing (planned ahead of general availability)

If your organization requires specific certifications before onboarding, contact us at security@forge.app to discuss timelines.

Incident Response

We maintain a documented incident response plan with defined escalation paths, communication protocols, and recovery procedures. In the event of a security incident affecting customer data, we will notify affected users within 72 hours of discovery, as required by applicable regulations.

Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability, please report it to security@forge.app with detailed reproduction steps. We commit to:

  • Acknowledging receipt within 48 hours
  • Providing a timeline for remediation
  • Not pursuing legal action against good-faith researchers
  • Publicly crediting researchers who request it (with their permission)

Security Certifications & Assessments

SOC 2 Type IIPlanned
ISO 27001Not started
Penetration TestingPlanned
GDPR ComplianceIn progress

Contact

For security inquiries, vulnerability reports, or compliance documentation requests:

Forge Security Team
Email: security@forge.app
PGP Key: Available upon request