Security is foundational, not optional.

Forte was founded by a former cloud security reviewer whose team led security reviews for production services at a major cloud provider. Security isn't an afterthought — it's embedded in every layer of the platform.

Our team holds graduate degrees in cybersecurity and the platform undergoes regular third-party penetration testing. Below is a detailed overview of the controls we maintain to keep your applications and data safe.

Infrastructure Security

Your services run on hardened, isolated infrastructure designed for security from the ground up.

Isolated Compute Environments

Every service runs in its own isolated virtual machines in a private cloud. No shared runtimes, no noisy neighbors.

DDoS Protection

Built-in DDoS protection on every endpoint by default. No configuration required.

Automated Deployments

Immutable, containerized deployments built from source via secure build pipelines. No manual server access.

Private Networking

Services run within isolated private networks with controlled ingress. Internal traffic never traverses the public internet.

Auto-Scaling

Infrastructure scales automatically to meet demand, maintaining availability during traffic spikes.

Data Protection

Your data is encrypted, hashed, and verified at every stage.

Encryption in Transit

All connections are encrypted with TLS. Every endpoint is HTTPS by default with no configuration required.

Encryption at Rest

All stored data — databases, build artifacts, logs — is encrypted at rest using industry-standard encryption.

Secure Credential Storage

Secrets and API keys are hashed using Argon2, a memory-hard hashing algorithm resistant to GPU and ASIC attacks.

Webhook Verification

All incoming webhooks are verified using HMAC-SHA256 signatures to prevent tampering and replay attacks.

Access Control

Every request is authenticated, scoped, and verified.

OAuth Authentication

Account authentication via Google OAuth with CSRF protection using timing-safe token comparison.

Scoped API Keys

Programmatic access uses project-scoped API keys with configurable expiration. Keys are hashed at rest and never stored in plaintext.

Session Management

Server-side session storage with configurable timeouts. Session tokens are encrypted and cookies use httpOnly, Secure, and SameSite flags.

Role-Based Access Control

Fine-grained access control ensures users can only access resources they are authorized for.

PKCE Authentication

CLI authentication uses the PKCE (Proof Key for Code Exchange) flow to prevent authorization code interception.

Monitoring & Audit

Full visibility into every action and event across the platform.

Access Audit Logging

All user actions — account creation, logins, permission changes, resource modifications — are logged with timestamps for full auditability.

Request Logging

API requests are logged with automatic 30-day retention, enabling investigation of issues and suspicious activity.

Deployment Tracking

Every build and deployment is tracked through a state machine with full history, timestamps, and status transitions.

Real-Time Log Search

Application logs are ingested in real time and searchable by time range, severity, and request ID.

Data Lifecycle

Clear retention policies and full control over your data.

Automatic Retention Policies

Logs expire after 30 days and metrics after 90 days. Session tokens and API keys have configurable expiration periods.

Data Backup & Recovery

Automated database backups with point-in-time recovery capabilities ensure your data is protected against loss.

Account Data Deletion

You can request full deletion of your account and associated data at any time.

Organizational Security

Security is a culture, not just a feature.

Security-First Engineering

Founded by a former cloud security reviewer. Our team holds graduate degrees in cybersecurity and follows security-first development practices.

Regular Penetration Testing

The platform undergoes regular third-party penetration testing to proactively identify and remediate vulnerabilities.

Vulnerability Management

We maintain a structured vulnerability management program including dependency scanning, patching cadences, and responsible disclosure.

Incident Response

Documented incident response procedures ensure rapid detection, containment, and communication during security events.

Change Management

All infrastructure and code changes follow a structured review and approval process before reaching production.

Policies and resources

For more information about how we handle your data, review our policies or reach out to our team.

Privacy Policy

How we collect, use, and protect your information.

Terms of Service

The agreement governing your use of Forte.

Contact Us

Have security questions? Our team is here to help.

Ready to 10x your team's productivity?

Join the teams building the future on Forte.