Compliance Setup

This guide covers the FORG configuration steps that matter most for common compliance frameworks. It is not a comprehensive compliance program — consult your security and legal teams for framework-specific requirements.

SOC 2 readiness

For organizations pursuing SOC 2, the following FORG controls are relevant:

ISO 27001

ISO 27001 Annex A controls addressed by FORG:

• A.9 — Access control: SSO enforcement, SCIM, role-based access, MFA
• A.10 — Cryptography: TLS 1.2+, AES-256 at rest, BYOK for customer key custody
• A.12.4 — Logging: Immutable audit log with SIEM streaming
• A.16 — Incident management: Webhook alerts, anomaly detection rules
• A.18 — Compliance: DPA, SOC 2 report, GDPR tooling

HIPAA configuration checklist

If your org is in scope for HIPAA:

• Enable SSO with enforcement (Settings → SSO → Enforcement: Required)
• Require MFA for all admin accounts (Settings → Security → MFA)
• Set session idle timeout ≤ 1 hour (Settings → Security → Session timeout)
• Enable SCIM provisioning for automatic deprovisioning (Settings → SCIM)
• Enable audit log SIEM streaming (Settings → Audit Log → Stream)
• Request and execute BAA (email hello@forg.pro)

GDPR configuration checklist

• Set data residency to eu if required (Settings → Data Residency)
• Request and execute DPA (email hello@forg.pro)
• Configure user data export workflow for DSARs (Settings → Data Export)
• Review sub-processor list and update records of processing activities

Audit evidence for auditors

FORG's SOC 2 Type II report is available under NDA. For additional evidence, the following can be exported from the dashboard:

• Audit log export (CSV or JSON, date-range filtered)
• User access report (current roles and last login)
• Active rules export (JSON)
• SSO and SCIM configuration summary