HIPAA

FORG Enterprise supports HIPAA-covered customers through technical, administrative, and physical safeguards aligned with the HIPAA Security Rule. A Business Associate Agreement (BAA) is available for Enterprise customers.

Is FORG HIPAA-eligible?

FORG does not process Protected Health Information (PHI) by default. Signal telemetry consists of model names, token counts, latency, and cost metadata — not prompt content or completions. FORG is designed so that PHI does not transit the FORG system at any point.

However, if your organization is a covered entity or business associate and requires a BAA as a matter of policy (e.g., due to employee role classification or data handling policies), FORG will execute a BAA with Enterprise customers.

Technical safeguards

Administrative safeguards

• FORG employees with access to production data complete annual HIPAA training
• Access to customer data requires approval and is logged
• Incident response procedures include HIPAA breach notification timelines
• Sub-processor agreements include HIPAA-appropriate data handling clauses

Requesting a BAA

BAAs are available to Enterprise plan customers. To request a BAA, email hello@forg.pro with your organization name and the name of your legal contact. We typically return a signed BAA within 5 business days.

Configuration for HIPAA environments

If your FORG deployment is in scope for HIPAA, we recommend the following configuration:

• Enable SSO with enforcement (no password-based login)
• Enable MFA for all admin accounts
• Set session timeout to 1 hour or less
• Enable audit log SIEM streaming
• Restrict API key creation to admin role only
• Set data residency to us (if required by your BAA)