Forge is preparing the requested surface and verifying the live route.

Trust Center

Security & compliance transparency

Our commitment to protecting your data, meeting compliance requirements, and maintaining operational excellence.

The status labels below describe current progress and roadmap timing, not finished certifications. If you need procurement materials, start with the trust center and security contact paths below.

Compliance Status

Current status of our compliance certifications and regulatory adherence.

SOC 2 Type I

In Progress

Point-in-time assessment of the design of security, availability, and confidentiality controls.

Q3 2026

SOC 2 Type II

Planned

Ongoing assessment of the operational effectiveness of controls over a 6-12 month observation period.

Q1 2027

HIPAA

BAA Available

Business Associate Agreements available for Enterprise tier healthcare customers. HIPAA-compliant data handling and access controls.

Available now

EU AI Act

In Progress

Compliance with the EU AI Act requirements for high-risk AI systems, implemented via Probo and EuConform integration.

Q4 2026

GDPR

Compliant

Full compliance with the General Data Protection Regulation, including data subject rights, data minimization, and lawful processing.

Active

CCPA

Compliant

California Consumer Privacy Act compliance with opt-out rights, data deletion, and transparency in data collection practices.

Active

ISO 27001

Planned

International standard for information security management systems (ISMS). Certification planned after SOC 2 Type II completion.

2027

OWASP Agentic Top 10

Implemented

All 10 OWASP Agentic security risks mapped and mitigated through the ForgeGuard pipeline and Forge Shield subsystem.

Active

Certification Timeline

Our roadmap to comprehensive security certifications.

Q1 2026

GDPR and CCPA compliance established

Q1 2026

OWASP Agentic Top 10 coverage implemented

Q1 2026

HIPAA BAA available for Enterprise tier

Q2 2026

SOC 2 Type I audit begins

Q3 2026

SOC 2 Type I report expected

Q4 2026

EU AI Act compliance framework complete

Q4 2026

SOC 2 Type II observation period begins

Q1 2027

SOC 2 Type II report expected

2027

ISO 27001 certification process begins

Infrastructure Security

Defense-in-depth across infrastructure, encryption, access control, and monitoring.

Primary Infrastructure

Oracle Cloud ARM64 (8 OCPU, 48GB RAM)
Cloudflare Tunnel for zero-trust edge access
Observed Docker sidecar services on this host: qdrant, neo4j, redis, and nats
All internal ports isolated (no public exposure)
Only ports 3402 (API) and 3403 (Dashboard) exposed via tunnel

Encryption

Data at rest: AES-256 encryption
Data in transit: TLS 1.3 for all connections
API keys: Agent-Vault with credential isolation
Database: Turso/libSQL with embedded replicas
Secrets management: .env file (chmod 600)

Access Control

SpiceDB: Zanzibar-style relationship-based access
OPA + Rego: Policy-as-code (<2ms WASM eval)
OPAL: Real-time policy distribution
Clerk: SSO, SAML, SCIM, MFA, WebAuthn
Multi-tenancy isolation at every layer

Monitoring & Detection

Langfuse: Full request tracing and analytics
Augustus: Adversarial security probing
8-stage ForgeGuard pipeline on every request
Real-time anomaly detection and alerting
Forge Circuit: Runaway agent cost detection

Audit Reports

Compliance audit reports are available to Enterprise customers and prospective customers under NDA. Available reports include:

SOC 2 Type I report (available upon completion)
Security architecture review documentation
Data flow diagrams and processing descriptions
Sub-processor list and DPA documentation

Contact [email protected] to request access.

Penetration Testing

We conduct regular penetration testing and vulnerability assessments to validate our security posture:

Annual third-party penetration testing
Continuous automated vulnerability scanning
Augustus adversarial probing (ongoing, automated)
OWASP Agentic Top 10 coverage validation
MCP supply chain security audits

Pen test executive summaries available to Enterprise customers under NDA.

Vendor Security Assessments

We understand that evaluating vendor security is a critical part of your procurement process. We are prepared to support your security assessment through:

Completion of your vendor security questionnaires (SIG, CAIQ, HECVAT, or custom)
Architecture review sessions with our security engineering team
Custom DPA and data processing documentation
Sub-processor impact assessments and data flow documentation
Business continuity and disaster recovery documentation
Source code auditing (BSL 1.1 -- code is fully available for review)

Enterprise customers with custom security requirements should contact their account team or reach out to [email protected].

Security & Compliance Questions?

Our security team is available to discuss your compliance requirements, review our security posture, and support your vendor assessment process.

Open security review draft Security Practices General contact

Trust Center

Security & compliance transparency

Our commitment to protecting your data, meeting compliance requirements, and maintaining operational excellence.

The status labels below describe current progress and roadmap timing, not finished certifications. If you need procurement materials, start with the trust center and security contact paths below.

Compliance Status

Current status of our compliance certifications and regulatory adherence.

SOC 2 Type I

In Progress

Point-in-time assessment of the design of security, availability, and confidentiality controls.

Q3 2026

SOC 2 Type II

Planned

Ongoing assessment of the operational effectiveness of controls over a 6-12 month observation period.

Q1 2027

HIPAA

BAA Available

Business Associate Agreements available for Enterprise tier healthcare customers. HIPAA-compliant data handling and access controls.

Available now

EU AI Act

In Progress

Compliance with the EU AI Act requirements for high-risk AI systems, implemented via Probo and EuConform integration.

Q4 2026

GDPR

Compliant

Full compliance with the General Data Protection Regulation, including data subject rights, data minimization, and lawful processing.

Active

CCPA

Compliant

California Consumer Privacy Act compliance with opt-out rights, data deletion, and transparency in data collection practices.

Active

ISO 27001

Planned

International standard for information security management systems (ISMS). Certification planned after SOC 2 Type II completion.

2027

OWASP Agentic Top 10

Implemented

All 10 OWASP Agentic security risks mapped and mitigated through the ForgeGuard pipeline and Forge Shield subsystem.

Active

Certification Timeline

Our roadmap to comprehensive security certifications.

Q1 2026

GDPR and CCPA compliance established

Q1 2026

OWASP Agentic Top 10 coverage implemented

Q1 2026

HIPAA BAA available for Enterprise tier

Q2 2026

SOC 2 Type I audit begins

Q3 2026

SOC 2 Type I report expected

Q4 2026

EU AI Act compliance framework complete

Q4 2026

SOC 2 Type II observation period begins

Q1 2027

SOC 2 Type II report expected

2027

ISO 27001 certification process begins

Infrastructure Security

Defense-in-depth across infrastructure, encryption, access control, and monitoring.

Primary Infrastructure

Oracle Cloud ARM64 (8 OCPU, 48GB RAM)
Cloudflare Tunnel for zero-trust edge access
Observed Docker sidecar services on this host: qdrant, neo4j, redis, and nats
All internal ports isolated (no public exposure)
Only ports 3402 (API) and 3403 (Dashboard) exposed via tunnel

Encryption

Data at rest: AES-256 encryption
Data in transit: TLS 1.3 for all connections
API keys: Agent-Vault with credential isolation
Database: Turso/libSQL with embedded replicas
Secrets management: .env file (chmod 600)

Access Control

SpiceDB: Zanzibar-style relationship-based access
OPA + Rego: Policy-as-code (<2ms WASM eval)
OPAL: Real-time policy distribution
Clerk: SSO, SAML, SCIM, MFA, WebAuthn
Multi-tenancy isolation at every layer

Monitoring & Detection

Langfuse: Full request tracing and analytics
Augustus: Adversarial security probing
8-stage ForgeGuard pipeline on every request
Real-time anomaly detection and alerting
Forge Circuit: Runaway agent cost detection

Audit Reports

Compliance audit reports are available to Enterprise customers and prospective customers under NDA. Available reports include:

SOC 2 Type I report (available upon completion)
Security architecture review documentation
Data flow diagrams and processing descriptions
Sub-processor list and DPA documentation

Contact [email protected] to request access.

Penetration Testing

We conduct regular penetration testing and vulnerability assessments to validate our security posture:

Annual third-party penetration testing
Continuous automated vulnerability scanning
Augustus adversarial probing (ongoing, automated)
OWASP Agentic Top 10 coverage validation
MCP supply chain security audits

Pen test executive summaries available to Enterprise customers under NDA.

Vendor Security Assessments

We understand that evaluating vendor security is a critical part of your procurement process. We are prepared to support your security assessment through:

Completion of your vendor security questionnaires (SIG, CAIQ, HECVAT, or custom)
Architecture review sessions with our security engineering team
Custom DPA and data processing documentation
Sub-processor impact assessments and data flow documentation
Business continuity and disaster recovery documentation
Source code auditing (BSL 1.1 -- code is fully available for review)

Enterprise customers with custom security requirements should contact their account team or reach out to [email protected].

Security & Compliance Questions?

Our security team is available to discuss your compliance requirements, review our security posture, and support your vendor assessment process.

Open security review draft Security Practices General contact