GDPR
FORG is designed to support your organization's GDPR compliance obligations. This page covers FORG's role as a data processor, the personal data we handle, and the tools available for data controller obligations.
Data processing roles
For personal data processed within FORG (primarily user profile data and activity associated with a developer identity):
- Your organization is the data controller — you determine why and how developer identity data is processed within FORG.
- FORG (UpgradIQ, Inc.) is the data processor — we process personal data only as instructed by your organization, as set out in the Data Processing Agreement.
Personal data processed
| Data type | Purpose | Retention |
|---|---|---|
| Name, email | User account and identity | Duration of account |
| IP address | Audit log, fraud prevention | 90 days |
| Usage telemetry (model, tokens) | Cost and usage analytics | Per retention policy |
| Session identifiers | Session continuity and attribution | 90 days after session end |
FORG does not process prompt text, completions, or any content generated by or sent to AI models. Only metadata is collected.
Legal basis for processing
FORG processes personal data under the following legal bases:
- Contract performance — processing necessary to provide the FORG service
- Legitimate interests — security monitoring, fraud prevention, service improvement
- Legal obligation — compliance with applicable law (e.g., financial record-keeping)
Data subject rights
As a data controller, your organization is responsible for handling data subject requests from your employees. FORG provides the following tools to help:
| Right | How to fulfill |
|---|---|
| Access | Export user data via Dashboard → Settings → Data Export |
| Rectification | Update user profiles via Dashboard or SCIM |
| Erasure | Delete user via Dashboard; pseudonymizes signal data linked to the user |
| Portability | Export user data as JSON via the API or Dashboard |
| Restriction | Suspend user account to stop new processing |
| Objection | Contact hello@forg.pro |
Data transfers
FORG is headquartered in the United States. For EU customers, data transfers to the US are governed by the EU Standard Contractual Clauses (SCCs), which are included in the Data Processing Agreement.
To keep data within the EU, configure data residency to the eu region. See the Data Residency page for details.
Data Processing Agreement
A DPA is available to all Enterprise customers. Request one at hello@forg.pro. The DPA includes:
- Description of processing activities
- Technical and organizational security measures (TOMs)
- Sub-processor list and notification process
- EU Standard Contractual Clauses (Module 2: controller to processor)