SOC 2 Type II
FORG (UpgradIQ, Inc.) is working toward SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria. The controls and architecture described below are in place; the formal audit is in progress and not yet complete.
Scope
The SOC 2 Type II report covers the following systems:
- FORG Rule Engine Worker (
forg.pro/engine/*) - License and identity Worker (
forg.pro/agent/*) - FORG dashboard (
forg.pro) - Signal telemetry storage (Supabase / PostgreSQL)
- The
forgCLI agent and key management components
Trust service criteria
| Criteria | Status | Key controls |
|---|---|---|
| Security (CC) | In scope | Access control, encryption, vulnerability management, incident response |
| Availability (A) | In scope | Uptime monitoring, redundancy, capacity planning, DR testing |
| Confidentiality (C) | In scope | Data classification, encryption at rest, access logging |
| Processing Integrity (PI) | Not in scope | — |
| Privacy (P) | Not in scope | Covered by DPA / GDPR documentation |
Security controls summary
Access management
- All production access requires MFA and is logged in the audit trail
- Principle of least privilege enforced via role-based access controls
- Production access is reviewed quarterly; terminated employee access is revoked within 24 hours
- Privileged actions require a second approver (4-eyes principle)
Data protection
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Encryption keys are managed via Cloudflare KMS with annual rotation
- Backups are encrypted and tested quarterly for restore integrity
- Signal data contains only metadata — no prompt or completion content is ever stored
Vulnerability management
- Automated dependency scanning on every pull request via Dependabot
- Annual third-party penetration test; findings remediated within SLA
- Critical patches are deployed within 48 hours of disclosure
- Static analysis (CodeQL) runs on all code changes
Incident response
- Documented incident response plan with defined severity levels and escalation paths
- Security incidents are investigated within 1 hour for SEV1/SEV2
- Customer notification for material security events within 72 hours
- Post-mortems published for SEV1 incidents within 5 business days
Requesting the SOC 2 report
Once the SOC 2 Type II audit is complete, the full report will be available to Enterprise plan customers and prospective customers under NDA. To be notified when the report is available or to discuss our compliance posture:
- Email hello@forg.pro with your organization name and the requester's name and title
- We will send an NDA for electronic signature via DocuSign
- The report is shared via a secure link within 2 business days of NDA execution
Continuous compliance
FORG uses continuous compliance monitoring to maintain SOC 2 controls between annual audits. Control evidence is collected automatically and reviewed weekly by the security team. Our current compliance posture is visible on status.forg.pro.