Forge is preparing the requested surface and verifying the live route.

Security

Security built into every layer

An 8-stage security pipeline, enterprise authorization, and compliance-ready infrastructure protect every request.

The labels below mix live controls and roadmap items. Planned and in-progress compliance states are not certifications yet, and we keep that distinction explicit here.

ForgeGuard: 8-Stage Security Pipeline

Every request passes through eight security stages before, during, and after LLM processing.

Pre-Gate

Authorization

SpiceDB (Zanzibar-style) permission checks combined with OPA + Rego policy evaluation. Sub-5ms authorization decisions before any request processing begins.

Gate + Agent-Vault

API key validation, rate limiting, and credential protection via Agent-Vault. Ensures all credentials are isolated and never exposed to downstream processors.

Input Scan

Multi-layer input analysis: LlamaFirewall (primary), DeBERTa-v3 semantic analysis, LLM Guard, Presidio PII detection, and PromptGuard 2 for injection prevention.

Vector Protection

Guards against prompt injection through vector embeddings. Validates embedding integrity and prevents poisoned vector retrieval attacks.

Secure Route

Ensures requests are routed only to authorized providers with appropriate security classifications. Enforces data residency and compliance requirements.

Output Scan

Post-generation scanning of all LLM outputs for PII leakage, harmful content, and policy violations using LLM Guard and Presidio.

Audit (Augustus)

Adversarial probing with Augustus to continuously test defenses. Every request generates an audit trail for compliance and forensic analysis.

MCP Security

MCP tool scanning via mcp-scan. Validates tool provenance, checks for tampering, and enforces supply chain security for all MCP module calls.

Infrastructure Security

Defense in depth from cloud infrastructure through authentication and authorization.

Cloud Infrastructure

Oracle Cloud ARM64 with network security groups
All data encrypted at rest (AES-256)
All data encrypted in transit (TLS 1.3)
Cloudflare Tunnel for zero-trust edge access
Internal-only ports for all sidecar services
Regular security patching and vulnerability scanning

Authentication

Clerk for dashboard authentication
SSO / SAML / SCIM for enterprise
Multi-factor authentication (MFA)
WebAuthn / passkey support
API key rotation and scoping
Session management with automatic expiry

Authorization

SpiceDB (Google Zanzibar) for relationship-based access control
OPA + Rego for policy-as-code evaluation (<2ms WASM)
OPAL for real-time policy distribution
CASL abilities for dashboard UI permissions
Per-agent privilege scoping
Multi-tenancy isolation at every layer

Compliance Roadmap

We are building toward comprehensive compliance certifications for regulated industries.

SOC 2 Type I

In Progress

Point-in-time assessment of security controls. Target completion in 2026.

SOC 2 Type II

Planned

Ongoing effectiveness assessment over a 6-12 month observation period.

HIPAA BAA

Available

Business Associate Agreements available for Enterprise tier healthcare customers.

EU AI Act

In Progress

Compliance via Probo + EuConform integration for high-risk AI system requirements.

GDPR

Compliant

Full GDPR compliance including data subject rights, DPA, and data residency routing.

CCPA

Compliant

California Consumer Privacy Act compliance with opt-out and data deletion rights.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in Optima Forge, we ask that you disclose it responsibly so we can address it before it affects our users.

Report vulnerabilities to [email protected]
Include steps to reproduce, impact assessment, and suggested fix
Allow up to 90 days for remediation before public disclosure
We will credit reporters in our security advisories (with permission)

security.txt

Our security.txt file is available at the standard well-known URI, following RFC 9116 for security vulnerability disclosure.

Contact: mailto:[email protected]

Expires: 2027-03-01T00:00:00.000Z

Preferred-Languages: en

Canonical: https://optimaforge.ai/.well-known/security.txt

Available at https://optimaforge.ai/.well-known/security.txt

Security Questions?

For security inquiries, vulnerability reports, or to request our SOC 2 report, contact our security team directly.

Open security contact draft Visit Trust Center

Security

Security built into every layer

An 8-stage security pipeline, enterprise authorization, and compliance-ready infrastructure protect every request.

The labels below mix live controls and roadmap items. Planned and in-progress compliance states are not certifications yet, and we keep that distinction explicit here.

ForgeGuard: 8-Stage Security Pipeline

Every request passes through eight security stages before, during, and after LLM processing.

Pre-Gate

Authorization

SpiceDB (Zanzibar-style) permission checks combined with OPA + Rego policy evaluation. Sub-5ms authorization decisions before any request processing begins.

Gate + Agent-Vault

API key validation, rate limiting, and credential protection via Agent-Vault. Ensures all credentials are isolated and never exposed to downstream processors.

Input Scan

Multi-layer input analysis: LlamaFirewall (primary), DeBERTa-v3 semantic analysis, LLM Guard, Presidio PII detection, and PromptGuard 2 for injection prevention.

Vector Protection

Guards against prompt injection through vector embeddings. Validates embedding integrity and prevents poisoned vector retrieval attacks.

Secure Route

Ensures requests are routed only to authorized providers with appropriate security classifications. Enforces data residency and compliance requirements.

Output Scan

Post-generation scanning of all LLM outputs for PII leakage, harmful content, and policy violations using LLM Guard and Presidio.

Audit (Augustus)

Adversarial probing with Augustus to continuously test defenses. Every request generates an audit trail for compliance and forensic analysis.

MCP Security

MCP tool scanning via mcp-scan. Validates tool provenance, checks for tampering, and enforces supply chain security for all MCP module calls.

Infrastructure Security

Defense in depth from cloud infrastructure through authentication and authorization.

Cloud Infrastructure

Oracle Cloud ARM64 with network security groups
All data encrypted at rest (AES-256)
All data encrypted in transit (TLS 1.3)
Cloudflare Tunnel for zero-trust edge access
Internal-only ports for all sidecar services
Regular security patching and vulnerability scanning

Authentication

Clerk for dashboard authentication
SSO / SAML / SCIM for enterprise
Multi-factor authentication (MFA)
WebAuthn / passkey support
API key rotation and scoping
Session management with automatic expiry

Authorization

SpiceDB (Google Zanzibar) for relationship-based access control
OPA + Rego for policy-as-code evaluation (<2ms WASM)
OPAL for real-time policy distribution
CASL abilities for dashboard UI permissions
Per-agent privilege scoping
Multi-tenancy isolation at every layer

Compliance Roadmap

We are building toward comprehensive compliance certifications for regulated industries.

SOC 2 Type I

In Progress

Point-in-time assessment of security controls. Target completion in 2026.

SOC 2 Type II

Planned

Ongoing effectiveness assessment over a 6-12 month observation period.

HIPAA BAA

Available

Business Associate Agreements available for Enterprise tier healthcare customers.

EU AI Act

In Progress

Compliance via Probo + EuConform integration for high-risk AI system requirements.

GDPR

Compliant

Full GDPR compliance including data subject rights, DPA, and data residency routing.

CCPA

Compliant

California Consumer Privacy Act compliance with opt-out and data deletion rights.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in Optima Forge, we ask that you disclose it responsibly so we can address it before it affects our users.

Report vulnerabilities to [email protected]
Include steps to reproduce, impact assessment, and suggested fix
Allow up to 90 days for remediation before public disclosure
We will credit reporters in our security advisories (with permission)

security.txt

Our security.txt file is available at the standard well-known URI, following RFC 9116 for security vulnerability disclosure.

Contact: mailto:[email protected]

Expires: 2027-03-01T00:00:00.000Z

Preferred-Languages: en

Canonical: https://optimaforge.ai/.well-known/security.txt

Available at https://optimaforge.ai/.well-known/security.txt

Security Questions?

For security inquiries, vulnerability reports, or to request our SOC 2 report, contact our security team directly.

Open security contact draft Visit Trust Center