Enterprise

Enterprise-Grade AI Infrastructure

SSO, Zanzibar permissions, OPA policies, compliance frameworks, data residency routing, multi-tenancy isolation, and custom SLAs for organizations that cannot compromise.

Authentication & Permissions

Enterprise identity management with SSO, automated provisioning, and fine-grained relationship-based access control. Every permission check completes in milliseconds without blocking request processing.

SSO / SAML / SCIM

Clerk handles dashboard authentication with support for SAML 2.0 single sign-on, SCIM 2.0 user provisioning, and enterprise identity providers including Okta, Azure AD, Google Workspace, and OneLogin. When an employee is deprovisioned in your IdP, their Forge access is revoked automatically via SCIM webhooks. Multi-factor authentication is enforced by default for all enterprise accounts.

SAML 2.0 SSO with IdP-initiated and SP-initiated flows
SCIM 2.0 for automated user provisioning and deprovisioning
Support for Okta, Azure AD, Google Workspace, OneLogin, and custom SAML
Mandatory MFA enforcement for enterprise organizations
Just-in-time provisioning with automatic role assignment

SpiceDB Zanzibar Permissions

Google Zanzibar-style relationship-based access control via SpiceDB. Permissions are modeled as relationships between subjects (users, agents, service accounts) and objects (models, memory namespaces, tools, API keys). SpiceDB evaluates permission checks in under 5ms with consistency guarantees. The permission schema is version-controlled and auditable.

Relationship-based access control (ReBAC) modeled on Google Zanzibar
Sub-5ms permission checks with snapshot consistency
Fine-grained permissions: model access, memory namespaces, tool invocations
Inheritance and grouping for organizational hierarchies
Schema versioning with migration support and rollback

OPA + Rego Policies

Open Policy Agent evaluates custom business policies written in Rego. Policies are compiled to WASM for sub-2ms evaluation latency. OPAL distributes policy updates in real-time across all Forge instances. Common policies include cost caps, model allow-lists, data residency enforcement, and time-based access windows. Policies are stored in version control and deployed through CI/CD.

Custom policy authoring in Rego language
WASM-compiled policies for sub-2ms evaluation
OPAL real-time policy distribution across all nodes
Policy templates for common enterprise requirements
CI/CD integration with policy testing and validation

Compliance Frameworks

Forge is designed for regulated industries. Automated evidence collection, continuous control monitoring, and audit-ready reporting reduce the compliance burden from months to days.

SOC 2 Type II

Path to certification

Forge follows SOC 2 trust service criteria for security, availability, and confidentiality. Automated evidence collection via Forge Comply generates audit-ready reports. The platform maintains continuous control monitoring with drift detection and remediation workflows.

Access control loggingChange managementIncident responseVendor managementEncryption at rest and in transit

HIPAA BAA

Supported

Business Associate Agreements are available for healthcare organizations. Forge's data handling meets HIPAA requirements through end-to-end encryption, access logging, automatic PII detection and redaction via Presidio, and audit trails on every data access. PHI never leaves the customer's infrastructure when self-hosted.

PHI access loggingMinimum necessary accessAutomatic PII redactionBreach notification proceduresBAA execution

EU AI Act

Compliance ready

Forge integrates Probo and EuConform for EU AI Act compliance assessment. The platform classifies AI workloads by risk level, enforces transparency requirements, and generates the technical documentation required for high-risk AI systems. Data residency routing ensures EU data remains in EU regions.

Risk classification engineTransparency documentationHuman oversight mechanismsData governance controlsConformity assessment

ISO 27001

Framework aligned

Forge's security architecture aligns with ISO 27001 Annex A controls. The ForgeGuard pipeline, SpiceDB permissions, OPA policies, and comprehensive audit logging together satisfy information security management system requirements. Forge Comply maps controls to evidence automatically.

Information security policiesAsset managementAccess controlCryptographyOperations security

Data Residency Routing

Configure data residency rules per tenant to ensure that requests from EU users are routed exclusively to EU-based LLM providers. Residency rules are enforced in the S4 Secure Route stage of the ForgeGuard pipeline, before any data leaves the Forge gateway. Rules apply to LLM requests, memory storage, and observability data simultaneously.

For organizations with strict sovereignty requirements, Forge supports customer-managed infrastructure where the entire gateway runs on-premises or in a customer-controlled cloud account. In this deployment, no data ever leaves the customer's network boundary.

Region	Location	Available Providers
US East	Virginia	OpenAI, Anthropic, Azure, AWS Bedrock
US West	Oregon	OpenAI, Google, Together AI, Fireworks
EU West	Frankfurt / Ireland	Azure, AWS Bedrock, Mistral
EU Central	Netherlands	Mistral, Cohere, DeepSeek
Asia Pacific	Tokyo / Singapore	Azure, AWS Bedrock, Google
Custom	Customer-managed	Self-hosted providers via VPN

Multi-Tenancy Isolation

Build platforms on top of Forge with complete tenant isolation. Each tenant gets its own permission boundaries, memory namespaces, billing accounts, and observability dashboards.

Tenant Isolation

Every tenant operates in a fully isolated environment. Memory namespaces, API keys, agent configurations, credit balances, and observability data are completely separated. One tenant cannot access, search, or influence another tenant's data. Isolation is enforced at the SpiceDB permission layer, the database layer, and the memory layer simultaneously.

Dedicated Infrastructure

Enterprise customers can opt for dedicated Forge instances running on isolated infrastructure. Dedicated deployments provide guaranteed compute resources, custom scaling policies, and the ability to connect to customer-managed LLM providers via private network links. Useful for organizations with strict data sovereignty requirements.

Encryption & Key Management

All data is encrypted at rest with AES-256-GCM and in transit with TLS 1.3. Enterprise customers can bring their own encryption keys (BYOK) for data at rest. Agent-Vault credentials are stored with an additional layer of per-tenant key encryption. Key rotation is automated with zero-downtime re-encryption.

Audit Trail

Every API call, permission check, configuration change, and administrative action is logged in an immutable audit trail. Audit logs support structured queries, export to SIEM systems, and configurable retention periods from 90 days to indefinite. Logs satisfy SOC 2 and HIPAA audit requirements out of the box.

Custom SLAs

Enterprise contracts include contractual SLAs with financial penalties for breaches. Standard SLAs cover uptime, latency overhead, and support response times. Custom SLAs can be negotiated for specific requirements.

Metric	Standard	Enterprise
API Uptime	99.95%	99.99%
P95 Latency Overhead	<50ms	<25ms
Support Response (P1)	4 hours	30 minutes
Support Response (P2)	8 hours	2 hours
Incident Postmortem	72 hours	24 hours
Scheduled Maintenance	48h notice	72h notice

Enterprise Pricing

Enterprise contracts start at $36,000/year for teams up to 50 users. Volume discounts, multi-year commitments, and custom pricing are available for larger deployments. Contact our enterprise team for a tailored proposal.

Pricing tiers: Free / Pro ($49/mo) / Ultimate ($149/mo) / Enterprise ($36K-$150K+/yr)

Ready for enterprise AI?

Talk to our enterprise team about SSO integration, compliance requirements, data residency, custom SLAs, and volume pricing. Most enterprise deployments are production-ready within two weeks.

Contact Sales Enterprise Docs