Information Security Policy

How DerMar Consulting Group LLC (dba "ForgeWorks") identifies, mitigates, and monitors information security risks across its products and infrastructure.

Version 1.0 · Effective June 29, 2026 · Reviewed at least annually

Operating entity: DerMar Consulting Group LLC, dba ForgeWorks

Address: 3151 Cape Horn Rd, Unit #2092, Red Lion, PA 17356, USA

Security contact: Derek Markley, Founder · info@getforgeworks.com

1. Purpose and scope

This policy describes how ForgeWorks identifies, mitigates, and monitors information security risks across the software products it operates (including LedgerForge, RunSheet, FieldForge, RemediDocs, and related services) and the supporting infrastructure. It applies to all systems that store or process customer data, all third-party services used to deliver those products, and anyone with access to production systems.

ForgeWorks is a small, owner-operated software company. This policy is sized to that reality: it documents controls that are actually implemented and operated, not controls that require a dedicated security team. Where a practice is in progress rather than fully operationalized, it is labeled as such.

2. Roles and responsibilities

3. Data inventory and classification

ForgeWorks classifies the data it handles into three tiers:

ForgeWorks does not store bank login credentials. Bank authentication is handled entirely by Plaid; ForgeWorks receives only a Plaid access token (encrypted at rest) and the financial data the user authorizes. ForgeWorks does not store full payment card numbers; card payments are processed by Stripe.

4. Access control and authentication

5. Encryption

6. Secrets management

7. Third-party and vendor management

ForgeWorks relies on a small set of established service providers and limits the data shared with each to what the feature requires:

New vendors are reviewed for their security posture and data handling before integration, and only the minimum necessary data is shared.

8. Secure development practices

9. Logging and monitoring

10. Rate limiting and abuse prevention

Authentication-sensitive and high-cost endpoints are rate limited to reduce credential-stuffing and abuse. Edge protection (Cloudflare) provides an additional layer in front of the origin.

11. Vulnerability and patch management

12. Backup and recovery

13. Incident response

If a security incident is suspected:

  1. Contain — revoke or rotate the affected credentials and, if necessary, take the affected service offline.
  2. Assess — use access, audit, and error logs to determine what data and which tenants were affected.
  3. Remediate — fix the underlying issue, deploy through staging to production, and confirm closure.
  4. Notify — inform affected customers and any required parties (including providers such as Plaid or Stripe where their data or integration is involved) without undue delay, consistent with applicable law and provider agreements.
  5. Review — record the incident and corrective actions, and update this policy or the controls if needed.

The security contact for incident reports is info@getforgeworks.com.

14. Data retention, privacy, and deletion

15. Risk management process

ForgeWorks manages information security risk as an ongoing cycle:

This process is owned by the Founder and revisited at the review cadence above and whenever a material change occurs.

16. Physical and endpoint security

Production runs in a reputable cloud data center rather than on premises. Servers are administered remotely over encrypted, key-based SSH (password login disabled), and administrative access is restricted to the operator. Administrative systems are kept patched.

17. Policy review and revision history

This policy is reviewed at least annually and after any material system change or security incident.

VersionDateChange
1.02026-06-29Initial policy issued