What we do to protect data
Controls that are implemented and operating across our products.
🔒 Encryption in transit
All customer traffic is served over HTTPS/TLS, with certificates issued and auto-renewed at the reverse proxy. Cloudflare provides TLS and edge protection in front of the origin.
🔑 Encryption at rest
High-sensitivity secrets — such as bank access tokens — are encrypted with authenticated symmetric encryption before storage. Keys are never committed to source control.
🏢 Tenant isolation
Every product is multi-tenant, and every database query touching customer data is scoped to that customer's tenant. One customer cannot read or modify another's data.
👤 Authentication
Passwords are hashed with bcrypt and never stored or logged in plaintext. Sessions use signed tokens; the signing key must be strong or the service refuses to start. Login endpoints are rate-limited.
💳 Payments
Card payments are processed by Stripe (PCI-DSS Level 1). ForgeWorks does not store full payment card numbers.
🏦 Bank connections
Where a product connects to a bank, authentication is handled entirely by Plaid. We never see your bank login — only a read-only, encrypted access token you authorize.
⚙️ Secure development
Parameterized database access, authorization checks on every record, path-traversal protection, pinned dependencies, and tracked schema migrations. Changes are verified in staging before production.
💾 Backups & recovery
Production databases are backed up on a regular schedule with documented restore procedures, so data can be recovered after loss or corruption.
📜 Logging & monitoring
Structured access logs, error logs, and audit logs for significant actions — written so they don't contain secrets or full payment data — reviewed during incident investigation.
Compliance status
Stated plainly, so there are no surprises in your review.
No current attestation report. Can be pursued for a committed enterprise engagement using an automated evidence platform (e.g., Vanta/Drata) plus a licensed auditor.
Not certified. Our Information Security Policy is structured around the same control themes and can serve as the basis for a future ISMS.
Reviewed at least annually and after any material change. Read the full policy →
Card data is handled entirely by Stripe; ForgeWorks stores no card numbers.
We complete standard vendor security questionnaires and can provide a signed self-attestation letter.
Subprocessors
The established providers we rely on, and the data each receives.
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | DNS, TLS, edge/DDoS protection | Traffic metadata |
| Hetzner | Cloud hosting (VPS) | All application data (at rest, on our controlled infrastructure) |
| Stripe | Subscription billing & payments | Billing details, card data (held by Stripe) |
| Plaid | Bank connectivity (finance product only) | Read-only transactions/balances you authorize |
| Resend | Transactional email | Recipient email address & message content |
| Telnyx | SMS notifications (where enabled) | Recipient phone number & message content |
| Anthropic | AI features (where enabled) | Only the content needed for the requested AI action |
Only the minimum data required for each feature is shared. New providers are reviewed before integration.
Incident response & contact
If something goes wrong, or you have a security question.