Forward
Get started
Last reviewed April 24, 2026

Security, honestly.

This page lists what Forward has in place today, what we’re working toward with target dates, and what we explicitly do not have yet. We’d rather lose a deal because a procurement team needs SOC 2 today than win one on a claim we can’t back.

What we do today

  • Encryption in transit — TLS 1.2+ on every connection to api.getforward.xyz and app.getforward.xyz. HSTS enforced.
  • Encryption at rest — AES-256 on the managed PostgreSQL database (Render); SSE on object storage when enabled.
  • OAuth-only platform integrations — Procore and Autodesk Construction Cloud connected via official OAuth. Forward never holds your platform passwords. Customer admins can revoke our access in either system at any time and we lose access immediately.
  • Role-based access control — Five roles in the dashboard: owner, admin, billing_admin, pm, viewer. Project-level scoping for end users.
  • Append-only audit log — Every API call, every inbound + outbound message, every approval, written to an append-only audit table. Customer admins can export their tenant’s full audit trail anytime.
  • TOTP 2FA on the dashboard, available to every admin user.
  • Passwordless sign-in — magic-link via Resend, with hashed one-time tokens (15-minute TTL, rate-limited at 5 requests per email per hour). No passwords stored.
  • Idempotency + rate limiting on every public endpoint to defend against replay and abuse.
  • SOC 2–attested vendors for the underlying stack: Anthropic (LLM inference), Render (hosting + database), Vercel (frontend), WorkOS (when enabled for SSO/SCIM).
  • US-only data processing — all customer data stored and processed in US data centers.
  • No training on customer data — we do not use customer messages, photos, or platform content to train any AI model. Anthropic’s commercial-API terms similarly prohibit training on customer data.

What we're working toward — with target dates

  • SOC 2 Type 1 attestation — controls implementation in progress. Target: month 6 from launch.
  • SOC 2 Type 2 attestation — observation window starts when Type 1 issues. Target: month 12.
  • Anthropic Zero-Data-Retention agreement — commercial-API customer data is already not used for training; the ZDR amendment additionally guarantees Anthropic deletes inputs after inference. We’ll execute this before our first enterprise contract.
  • Third-party penetration test — first engagement scheduled for after SOC 2 Type 1. Report available under NDA when complete.
  • Cyber + tech E&O insurance — coverage being placed before our first paid customer. We’ll provide a Certificate of Insurance under NDA on request after binding.
  • Single-tenant deploy option — for Enterprise customers who require dedicated infrastructure or customer-managed encryption keys.

What we don't have yet

  • SOC 2 report — not yet issued. Target dates above.
  • ISO 27001 certification — not in plan for v1.
  • FedRAMP, CMMC, NIST SP 800-171, or DFARS authorization — none. Forward is not authorized to process Controlled Unclassified Information (CUI), ITAR data, classified information, or any data subject to the above frameworks. If you work on federal jobsites where these regimes apply, do not enroll those projects in Forward. (See Terms §7.)
  • HIPAA Business Associate Agreement — Forward is not a HIPAA Business Associate and does not enter into BAAs. Do not transmit Protected Health Information through the Service.
  • EU/UK data residency — US-only today. EU customer availability depends on demand + appointing an EU representative; see Privacy §15.
  • 24×7 SEV-1 paging on the Pro tier — Pro support is email, business hours, 1-business-day response. 24×7 paging is an Enterprise feature.
  • Bug bounty program — not yet. We accept coordinated disclosure at security@getforward.xyz (PGP key on request) and will acknowledge within 5 business days.

How your data flows through the system

    A field user texts our SendBlue number. The inbound webhook hits our FastAPI service on Render. The orchestrator pulls relevant context from your connected Procore + Autodesk accounts (only the specific RFI / drawing / spec / room properties needed to answer the question — never bulk export). The retrieved context plus the user’s question goes to Anthropic’s commercial API for inference. The reply is sent back via SendBlue. Every step is logged in your tenant’s audit table.

    For draft writes (RFIs, observations), the orchestrator never posts back to Procore directly — it queues the draft for your PM to approve in the dashboard. Nothing reaches your system of record without a human in the loop.

    Subprocessor list is in Privacy §7.1.

Reporting a vulnerability

    Email security@getforward.xyz. Include enough detail to reproduce. We will acknowledge within 5 business days and provide a status update within 30 days. We don’t pay bug-bounty rewards yet but we publicly credit researchers who responsibly disclose unless they prefer to remain anonymous.

For procurement

    We’re happy to fill out your security questionnaire (CAIQ / SIG / custom) under NDA. Send it to security@getforward.xyz with a 1–2 week turnaround target. We can also share our DPA template, MSA template, and Service Level Schedule for Enterprise on request from legal@getforward.xyz.

See also Privacy Policy and Terms of Service.