Trust Center

Security & compliance transparency

Our commitment to protecting your data, meeting compliance requirements, and maintaining operational excellence.

Compliance Status

Current status of our compliance certifications and regulatory adherence.

SOC 2 Type I

In Progress

Point-in-time assessment of the design of security, availability, and confidentiality controls.

Q3 2026

SOC 2 Type II

Planned

Ongoing assessment of the operational effectiveness of controls over a 6-12 month observation period.

Q1 2027

HIPAA

BAA Available

Business Associate Agreements available for Enterprise tier healthcare customers. HIPAA-compliant data handling and access controls.

Available now

EU AI Act

In Progress

Compliance with the EU AI Act requirements for high-risk AI systems, implemented via Probo and EuConform integration.

Q4 2026

GDPR

Compliant

Full compliance with the General Data Protection Regulation, including data subject rights, data minimization, and lawful processing.

Active

CCPA

Compliant

California Consumer Privacy Act compliance with opt-out rights, data deletion, and transparency in data collection practices.

Active

ISO 27001

Planned

International standard for information security management systems (ISMS). Certification planned after SOC 2 Type II completion.

2027

OWASP Agentic Top 10

Implemented

All 10 OWASP Agentic security risks mapped and mitigated through the ForgeGuard pipeline and Forge Shield subsystem.

Active

Certification Timeline

Our roadmap to comprehensive security certifications.

Q1 2026
GDPR and CCPA compliance established
Q1 2026
OWASP Agentic Top 10 coverage implemented
Q1 2026
HIPAA BAA available for Enterprise tier
Q2 2026
SOC 2 Type I audit begins
Q3 2026
SOC 2 Type I report expected
Q4 2026
EU AI Act compliance framework complete
Q4 2026
SOC 2 Type II observation period begins
Q1 2027
SOC 2 Type II report expected
2027
ISO 27001 certification process begins

Infrastructure Security

Defense-in-depth across infrastructure, encryption, access control, and monitoring.

Primary Infrastructure

  • Oracle Cloud ARM64 (8 OCPU, 48GB RAM)
  • Cloudflare Tunnel for zero-trust edge access
  • 15 Docker sidecar services running locally
  • All internal ports isolated (no public exposure)
  • Only ports 3402 (API) and 3403 (Dashboard) exposed via tunnel

Encryption

  • Data at rest: AES-256 encryption
  • Data in transit: TLS 1.3 for all connections
  • API keys: Agent-Vault with credential isolation
  • Database: Turso/libSQL with embedded replicas
  • Secrets management: .env file (chmod 600)

Access Control

  • SpiceDB: Zanzibar-style relationship-based access
  • OPA + Rego: Policy-as-code (<2ms WASM eval)
  • OPAL: Real-time policy distribution
  • Clerk: SSO, SAML, SCIM, MFA, WebAuthn
  • Multi-tenancy isolation at every layer

Monitoring & Detection

  • Langfuse: Full request tracing and analytics
  • Augustus: Adversarial security probing
  • 8-stage ForgeGuard pipeline on every request
  • Real-time anomaly detection and alerting
  • Forge Circuit: Runaway agent cost detection

Audit Reports

Compliance audit reports are available to Enterprise customers and prospective customers under NDA. Available reports include:

  • SOC 2 Type I report (available upon completion)
  • Security architecture review documentation
  • Data flow diagrams and processing descriptions
  • Sub-processor list and DPA documentation

Contact security@optima-forge.com to request access.

Penetration Testing

We conduct regular penetration testing and vulnerability assessments to validate our security posture:

  • Annual third-party penetration testing
  • Continuous automated vulnerability scanning
  • Augustus adversarial probing (ongoing, automated)
  • OWASP Agentic Top 10 coverage validation
  • MCP supply chain security audits

Pen test executive summaries available to Enterprise customers under NDA.

Vendor Security Assessments

We understand that evaluating vendor security is a critical part of your procurement process. We are prepared to support your security assessment through:

  • Completion of your vendor security questionnaires (SIG, CAIQ, HECVAT, or custom)
  • Architecture review sessions with our security engineering team
  • Custom DPA and data processing documentation
  • Sub-processor impact assessments and data flow documentation
  • Business continuity and disaster recovery documentation
  • Source code auditing (BSL 1.1 -- code is fully available for review)

Enterprise customers with custom security requirements should contact their account team or reach out to security@optima-forge.com.

Security & Compliance Questions?

Our security team is available to discuss your compliance requirements, review our security posture, and support your vendor assessment process.

security@optima-forge.com Security Practices