Security & Trust

How we protect your data

ForgeWorks is an owner-operated software company. This page describes the security controls we actually run — and, just as importantly, what we don't yet claim.

Straight answer on certifications: ForgeWorks is not currently SOC 2 attested or ISO 27001 certified. Those are formal, third-party-audited programs we haven't yet engaged. What we do have is a written Information Security Policy and the technical controls below, implemented and operating today. If your procurement process requires a formal report, contact us — we'll tell you exactly where we stand and can prioritize it for a committed engagement.

What we do to protect data

Controls that are implemented and operating across our products.

🔒 Encryption in transit

All customer traffic is served over HTTPS/TLS, with certificates issued and auto-renewed at the reverse proxy. Cloudflare provides TLS and edge protection in front of the origin.

🔑 Encryption at rest

High-sensitivity secrets — such as bank access tokens — are encrypted with authenticated symmetric encryption before storage. Keys are never committed to source control.

🏢 Tenant isolation

Every product is multi-tenant, and every database query touching customer data is scoped to that customer's tenant. One customer cannot read or modify another's data.

👤 Authentication

Passwords are hashed with bcrypt and never stored or logged in plaintext. Sessions use signed tokens; the signing key must be strong or the service refuses to start. Login endpoints are rate-limited.

💳 Payments

Card payments are processed by Stripe (PCI-DSS Level 1). ForgeWorks does not store full payment card numbers.

🏦 Bank connections

Where a product connects to a bank, authentication is handled entirely by Plaid. We never see your bank login — only a read-only, encrypted access token you authorize.

⚙️ Secure development

Parameterized database access, authorization checks on every record, path-traversal protection, pinned dependencies, and tracked schema migrations. Changes are verified in staging before production.

💾 Backups & recovery

Production databases are backed up on a regular schedule with documented restore procedures, so data can be recovered after loss or corruption.

📜 Logging & monitoring

Structured access logs, error logs, and audit logs for significant actions — written so they don't contain secrets or full payment data — reviewed during incident investigation.

Compliance status

Stated plainly, so there are no surprises in your review.

Not yet
SOC 2 (Type I / II)
No current attestation report. Can be pursued for a committed enterprise engagement using an automated evidence platform (e.g., Vanta/Drata) plus a licensed auditor.
Not yet
ISO/IEC 27001
Not certified. Our Information Security Policy is structured around the same control themes and can serve as the basis for a future ISMS.
In place
Written Information Security Policy
Reviewed at least annually and after any material change. Read the full policy →
In place
PCI-DSS scope minimized
Card data is handled entirely by Stripe; ForgeWorks stores no card numbers.
On request
Security questionnaires & self-attestation
We complete standard vendor security questionnaires and can provide a signed self-attestation letter.

Subprocessors

The established providers we rely on, and the data each receives.

ProviderPurposeData shared
CloudflareDNS, TLS, edge/DDoS protectionTraffic metadata
HetznerCloud hosting (VPS)All application data (at rest, on our controlled infrastructure)
StripeSubscription billing & paymentsBilling details, card data (held by Stripe)
PlaidBank connectivity (finance product only)Read-only transactions/balances you authorize
ResendTransactional emailRecipient email address & message content
TelnyxSMS notifications (where enabled)Recipient phone number & message content
AnthropicAI features (where enabled)Only the content needed for the requested AI action

Only the minimum data required for each feature is shared. New providers are reviewed before integration.

Incident response & contact

If something goes wrong, or you have a security question.

We contain (rotate/revoke and, if needed, take the service offline), assess impact using our logs, remediate through staging to production, and notify affected customers and providers without undue delay. To report a vulnerability, request our Information Security Policy, or ask about a security questionnaire, contact info@getforgeworks.com.