Security & Privacy
ForgeComply takes security seriously. This guide explains how your data is protected.
Our Commitment
We're a compliance platform. We understand security expectations. ForgeComply is built with the same rigor we help you achieve.
Data Isolation
Organization Separation
Each organization's data is completely isolated:
- Separate data storage per organization
- No cross-organization data access
- API requests scoped to authorized organizations
- Team members only see organizations they belong to
User Scoping
Within an organization:
- Users see data for their organization only
- Role-based permissions control access levels
- Audit logs track user activity
Access Control
Authentication
- Email/password authentication
- Secure password requirements
- Email verification required
- Session management with secure tokens
Role-Based Access
| Role | Access |
|---|---|
| Admin | Full access: controls, policies, evidence, reports, settings, team management |
| Member | Working access: controls, policies, evidence, reports; limited settings |
| Auditor | Read-only: reports and linked evidence only |
Auditor Restrictions
Auditors have deliberately limited access:
- Cannot access Dashboard, Controls, Policies, or Evidence pages directly
- Can only view generated reports
- Can only see evidence linked to reports
- Cannot modify any data
- Cannot generate reports
This ensures audit integrity and separation of duties.
Evidence Security
Storage
Evidence files are stored securely:
- Encrypted at rest
- Stored in isolated cloud storage
- Not accessible via direct URLs
Access Control
Evidence access is controlled:
- Only authorized users can view evidence
- Auditors only see evidence linked to reports
- Access requires authentication
Secure URLs
When you access evidence:
- Time-limited signed URLs are generated
- URLs expire after a short period
- Each URL is scoped to specific files
- URLs cannot be shared or reused
Data Handling
What We Store
- Account information (name, email)
- Organization data (name, profile)
- Assessment data (controls, responses, policies)
- Evidence files (uploaded documents)
- Reports (generated snapshots)
What We Don't Store
- Passwords in plain text (hashed only)
- Payment card numbers (handled by payment processor)
- AI conversation history (processed, not persisted)
Data Retention
- Active data retained while account is active
- Deleted data removed according to retention policy
- Contact support for data export or deletion requests
AI Data Handling
What AI Receives
When you use AI assistance:
- Current control context
- Your response status
- Framework information
- General organization context (industry)
What AI Does NOT Receive
- Your evidence files
- Your policy content
- Your internal notes
- Personal information
- Other users' data
No AI Training
Your data is not used to train AI models.
No Persistence
AI observations are generated on-demand and not stored.
Analytics
What We Track
ForgeComply collects usage analytics to improve the product:
- Feature usage (which pages, which actions)
- Session information (login, navigation)
- Error occurrences (to fix bugs)
What We DON'T Track
- Control answer content
- Notes or policy content
- Evidence content or metadata
- AI prompts or outputs
- Personally identifiable information in analytics
Purpose
Analytics help us:
- Understand feature adoption
- Identify usability issues
- Prioritize improvements
- Fix bugs faster
Report Immutability
Generated reports are immutable:
- Cannot be edited after generation
- Capture point-in-time snapshot
- Each has unique identifier and timestamp
- Creates reliable audit trail
This ensures auditors can trust that reports haven't been tampered with.
Infrastructure Security
Hosting
- Cloud-hosted infrastructure
- Regular security updates
- DDoS protection
- Network isolation
Database
- Encrypted connections
- Access logging
- Regular backups
- Point-in-time recovery capability
Application
- HTTPS only
- Security headers
- Input validation
- Rate limiting
Incident Response
If a security incident occurs:
- We have documented response procedures
- Affected users will be notified appropriately
- We'll provide details about impact and remediation
- Contact [email protected] to report issues
Your Responsibilities
While we secure the platform, you're responsible for:
Account Security
- Strong, unique passwords
- Don't share credentials
- Log out on shared devices
- Report suspicious activity
Evidence Handling
- Don't upload sensitive data unnecessarily
- Redact appropriately before uploading
- Be mindful of what you share with auditors
Team Management
- Remove access for departed employees
- Assign appropriate roles
- Review team membership periodically
Compliance
Our Practices
We apply the same security controls we help you implement:
- Access management
- Data protection
- Incident response
- Change management
Certifications
Contact us for information about our security certifications and compliance attestations.
Frequently Asked Questions
Is my data encrypted?
Yes, in transit (HTTPS) and at rest.
Can ForgeComply staff access my data?
Access is limited to authorized personnel for support and operations, with audit logging.
Can I export my data?
Contact support for data export requests.
Can I delete my data?
Contact support for data deletion requests.
Is ForgeComply SOC 2 certified?
Contact us for current certification status.
Where is data stored?
Cloud infrastructure with data centers in [contact us for specific details].
How do I report a security issue?
Email [email protected].
Contact
For security questions or concerns:
- Security issues: [email protected]
- Privacy questions: [email protected]
- General support: [email protected]
Next Steps
- AI Assistance — AI data handling details
- Reports & Auditor Access — Report security
- Evidence Documentation — Evidence handling