Trust & Security
Enterprise-grade security
for form data.
Form submissions contain some of your most sensitive business data — leads, employee information, medical details. Forge treats it accordingly.
GDPR CompliantCCPA CompliantSOC 2 In ProgressHIPAA BAA AvailableTLS 1.3 OnlyAES-256 Encryption
Security Architecture
Encryption
- AES-256-GCM encryption at rest for all submission data
- TLS 1.3 in transit — TLS 1.0 and 1.1 are permanently disabled
- Field-level encryption available for sensitive fields (SSN, card data) on Secure plan
- Customer-managed encryption keys (CMEK) on Secure plan only
Infrastructure
- Hosted on AWS in us-east-1 and eu-west-1 (EU data residency on Secure plan)
- N+1 redundancy on all stateful services — zero planned downtime deployments
- Automated daily backups with 30-day point-in-time recovery
- 99.9% uptime SLA on Standard and above; 99.99% on Secure
Access Control
- Role-based access control (RBAC) with Viewer, Editor, Admin, and Owner roles
- Row-level security on Supabase prevents cross-workspace data access
- API keys are bcrypt-hashed at rest — not stored in plaintext anywhere
- Mandatory 2FA enforcement available on workspace settings (Secure plan)
Vulnerability Management
- Quarterly penetration testing by third-party security firm (Cobalt.io)
- Automated SAST scanning on every pull request via GitHub Actions + Semgrep
- Dependency vulnerability scanning with Dependabot — critical CVEs patched within 24h
- Responsible disclosure program: security@useforge.cloud
Audit & Compliance
- Immutable workspace audit log retained for 1 year (Standard), unlimited (Secure)
- SOC 2 Type II audit in progress — target Q1 2027
- GDPR Article 28 DPA available for all paid customers on request
- CCPA compliance: California residents can request data deletion at privacy@useforge.cloud
Data Isolation
- All workspaces are cryptographically isolated at the row level via tenant ID
- Shared database with row-level security — no single-tenant databases on Standard plans
- Dedicated database cluster available on Secure plan for enterprise isolation requirements
- Database credentials automatically rotated every 90 days
Compliance Status
| Standard | Status | Details |
|---|---|---|
| GDPR | Compliant | DPA available, data residency configurable, right-to-erasure API |
| CCPA | Compliant | Data deletion requests honored within 45 days, no data sale |
| SOC 2 Type II | In Progress | Audit in progress with A-LIGN. Target certification Q1 2027 |
| HIPAA | BAA Available | Business Associate Agreement available on Secure plan on request |
| PCI-DSS | Not Applicable | Forge does not store, process, or transmit cardholder data |
For DPA requests and compliance documentation: legal@useforge.cloud
Data Retention Policies
| Data Type | Default Retention | Configurable? |
|---|---|---|
| Form submissions | Until account deletion | Configurable per form (30d, 90d, 1y, indefinite) |
| Webhook delivery logs | 90 days | Not configurable |
| Audit logs | 30 days (Start), 1 year (Standard–Max), Unlimited (Secure) | Not configurable |
| Error logs | 30 days | Not configurable |
| API key hashes | Until key deleted | Not configurable |
| Account data | 30 days after account cancellation | Not configurable |
Sub-Processors
Forge uses the following approved sub-processors to deliver its service. For GDPR compliance, all EU sub-processors are governed by standard contractual clauses (SCCs).
Amazon Web Services (AWS)
Cloud infrastructure, storage, and compute
US / EU (eu-west-1)
Supabase
PostgreSQL database, authentication, real-time
AWS us-east-1
Vercel
Next.js application hosting and edge network
Global CDN
Resend
Transactional email delivery
US
Stripe
Payment processing for subscriptions
US / EU
Sentry
Error monitoring and performance tracking
US
Incident Response SLAs
| Severity | First Response | Resolution Target |
|---|---|---|
| P0 — Data breach or data loss | < 1 hour | Best effort 24h; regulatory notification within 72h |
| P1 — Service unavailable | < 15 minutes | < 4 hours (Secure plan), < 8 hours (Max) |
| P2 — Degraded performance | < 1 hour | < 24 hours |
| P3 — Minor issues | < 4 hours | Next business day |
Report security vulnerabilities to security@useforge.cloud. We commit to acknowledging all reports within 24 hours.
Need enterprise-grade compliance?
The Forge Secure plan includes EU data residency, CMEK, dedicated database cluster, mandatory 2FA, HIPAA BAA, and custom DPA. Contact our team.
Talk to Enterprise Sales