Compliance

Audit-Ready from Day One.

FORG is built around a compliance-first architecture — tamper-proof audit logs, k-anonymity guarantees, and zero payload logging by default. SOC 2, GDPR, and HIPAA controls are not retrofits; they are the foundation.

Ready
SOC 2 Type II
Compliant
GDPR
Enterprise add-on
HIPAA
≥ 5 guaranteed
k-anonymity
Get started at $9/month Compliance docs

Compliance frameworks

Enterprise-grade controls across the frameworks that matter most.

SOC 2 Type II

Ready

Covers Availability, Security, and Confidentiality trust service criteria. Third-party audit report available on request under NDA.

Audit log export (CSV / JSON / SIEM)
Role-based access controls
Incident log with severity tags
Configurable retention up to 7 years

GDPR

Compliant

Data Processing Agreement (DPA) available. EU Workers option keeps all data inside European Economic Area infrastructure.

EU or US data residency (your choice)
Right-to-erasure API endpoint
DPA signed on request
No cross-border transfers by default

HIPAA

Enterprise add-on

Available on Enterprise plans. Business Associate Agreement (BAA) provided. PHI handling restrictions enforced by policy engine.

BAA signed at contract
PHI fields stripped from telemetry
Dedicated HIPAA-scoped workspace
Audit trail meets § 164.312 requirements

Every session. Every decision. Forever.

Append-only, hash-chained audit log. Tamper-evident by construction — no trust required.

audit.log — live tail● LIVE
TimestampUserActionModelTokensCostRule triggeredOutcome
2025-05-29 09:14:02alice@corp.comsession_endclaude-opus-418,341$0.55noneallowed
2025-05-29 09:14:55bob@corp.comsession_blockedgpt-4o0$0.00model_blockedblocked
2025-05-29 10:01:33carol@corp.comsession_endclaude-sonnet-454,200$1.63budget_alertalerted
2025-05-29 10:22:18dave@corp.comsession_endgemini-2.5-pro9,870$0.29noneallowed
2025-05-29 11:05:44eve@corp.comsession_blockedclaude-opus-40$0.00time_ruleblocked
2025-05-29 11:31:07frank@corp.comsession_endgpt-4o31,500$0.95noneallowed
2025-05-29 12:00:00grace@corp.comsession_endclaude-sonnet-472,100$2.16budget_alertalerted
2025-05-29 12:44:51henry@corp.comsession_blockedo30$0.00model_blockedblocked

Privacy by architecture, not policy

Payload logging is off by default. The adapter emits only metadata. What is — and is never — stored is structural, not configurable.

What is stored

tsSession timestamp (UTC)
modelModel identifier
tokens_in / tokens_outToken counts
latency_msEnd-to-end latency
cost_usdComputed cost
user_idOpaque hash — never email
project_id / session_idScoped identifiers
error_codeHTTP / provider error

What is never stored

Prompt content (user messages)
Response content (completions)
PII of any kind
Raw HTTP payloads
File attachments or code context
System prompt contents

k-anonymity ≥ 5: Aggregate queries require at least 5 members in the bucket. Buckets with fewer members return HTTP 422. Individual data never surfaces upward.

Data residency

Your data stays where you need it. No hidden cross-region transfers.

🇺🇸

United States

Default

Cloudflare D1 + Supabase US (us-east-1). All processing and storage within US borders. Default for all plans.

🇪🇺

European Union

GDPR

Cloudflare EU Workers (Frankfurt). Supabase EU region. Stays within EEA. Required for GDPR-strict deployments. Available on Business+.

🏢

Custom / BYOC

Enterprise

Bring your own cloud. Deploy the Rule Engine Worker and Supabase instance inside your VPC. Full data sovereignty. Contact Enterprise sales.

Principle of least privilege

No role can view another individual's raw data. Access is scoped to the minimum required for each function.

RoleOwn dataTeam aggregatesOrg aggregatesIndividual data of others
Individual
Team lead
Org admin
Billing adminBilling only

Audit export

Export your full audit history on demand. Supports CSV, JSON, and NDJSON. Pipe directly into Splunk, Datadog, or your own SIEM. Signed exports include a SHA-256 manifest for integrity verification.

CSV, JSON, NDJSON output formats
SHA-256 integrity manifest included
Date range and user filters
Streaming export for large datasets
Terminal
$ forg audit export --from 2024-01-01 --format csv
Exporting audit log 2024-01-01 → 2025-05-29 ...
✓ 142,883 records exported
✓ SHA-256: a3f9c2…d841e7
Written to: forg-audit-2024-01-01.csv
# Sample output:
ts,user_id,model,tokens_in,tokens_out,cost_usd,rule,outcome
2024-01-15T09:14:02Z,usr_a3f9,claude-sonnet-4,4210,1832,0.18,none,allowed
2024-01-15T09:31:55Z,usr_b7d2,gpt-4o,0,0,0.00,model_blocked,blocked
2024-01-15T10:05:07Z,usr_c1e8,claude-opus-4,9182,4420,1.12,budget_alert,alerted

Get your compliance documentation

SOC 2 report, GDPR DPA, and HIPAA BAA available for Business and Enterprise plans. Our security team can join your review call.
UpgradIQ, Inc. — legal entity for all compliance agreements.