Trust & Compliance

We take your data obligations seriously

FORG is designed to process metadata about AI usage, not prompt or completion content. This page documents our security posture, compliance certifications, data handling practices, and sub-processor list.

Compliance status

SOC 2 Type II
Q3 2026 (Type I)In progress
GDPR
CurrentCompliant
CCPA
CurrentCompliant
HIPAA BAA
EnterpriseAvailable
ISO 27001
2027Planned

For SOC 2 report requests or compliance questionnaires, contact hello@forg.pro. For uptime commitments and support SLAs, see the SLA page.

What FORG collects

FORG signal schema v3 is designed around the following metadata fields. The agent binary is open-source-auditable, and the signal emission code is in agent/internal/emit/.

FieldTypeDescription
session_idstring (UUID)Ephemeral session identifier. Not linked to identity.
adapterstringWorkspace type used for the session
modelstringModel class or provider-reported identifier, normalized in user dashboards
tsint64 (unix ms)Event timestamp
tokens.inputintInput token count
tokens.outputintOutput token count
tokens.cache_readintTokens served from cache
tokens.cache_writeintTokens written to cache
cost_usdfloatComputed cost in USD
latency_ms.ttftintTime-to-first-token in ms
latency_ms.totalintTotal response latency in ms
dimensions.userstring (hashed)User identifier (hashed, not plaintext email)
dimensions.projectstringProject / repo name
dimensions.teamstringTeam identifier
dimensions.environmentstringEnvironment (e.g., 'dev', 'ci')

What FORG never collects

  • → Prompt text or system prompts
  • → Completion content
  • → File contents or code snippets
  • → User messages or conversation history
  • → API keys or authentication credentials

Data retention

PlanSignal dataAudit logsEvent logs
Developer ($9/mo)30 days1 year30 days
Professional ($14/mo)12 months2 years90 days
Team ($19/mo+)24 months2 years90 days
Business ($39/mo+)Unlimited3 years1 year
Enterprise (custom)ConfigurableConfigurableConfigurable

Sub-processors

FORG uses the following sub-processors. We notify customers of sub-processor changes with 30 days advance notice.

Cloudflare, Inc.

Edge compute (Workers), TLS termination, DDoS mitigation

US / Global
Privacy policy

Supabase, Inc.

PostgreSQL database and vector storage for product metadata

US (default), EU (residency option)
Privacy policy

Amazon Web Services

SES transactional email (license notifications, alerts)

US East
Privacy policy

Vercel, Inc.

Next.js site hosting (forg.pro marketing + dashboard)

US / Global
Privacy policy

Legal documents

Privacy Policy

How we collect, use, and protect your data.

Terms of Service

Rules governing use of FORG.

Data Processing Agreement

GDPR DPA for Business+ customers.

Business Associate Agreement

HIPAA BAA for Enterprise customers.

Cookie Policy

How forg.pro uses cookies.