Security is foundational, not optional.
Forte was founded by a former cloud security reviewer whose team led security reviews for production services at AWS. Security isn't an afterthought — it's embedded in every layer of the platform.
Our leadership team holds graduate degrees in cybersecurity and the platform undergoes regular third-party penetration testing. Below is a detailed overview of the controls we maintain to keep your applications and data safe.
Infrastructure Security
Your services run on hardened, isolated infrastructure designed for security from the ground up.
Isolated Compute Environments
Every service runs in its own isolated virtual machines in a private cloud. No shared runtimes, no noisy neighbors.
DDoS Protection
Built-in DDoS protection on every endpoint by default. No configuration required.
Automated Deployments
Immutable, containerized deployments built from source via secure build pipelines. No manual server access.
Private Networking
Services run within isolated private networks with controlled ingress. Internal traffic never traverses the public internet.
Auto-Scaling
Infrastructure scales automatically to meet demand, maintaining availability during traffic spikes.
Data Protection
Your data is encrypted, hashed, and verified at every stage.
Encryption in Transit
All connections are encrypted with TLS. Every endpoint is HTTPS by default with no configuration required.
Encryption at Rest
All stored data — databases, build artifacts, logs — is encrypted at rest using industry-standard encryption.
Secure Credential Storage
Secrets and API keys are hashed using industry-proven memory-hard hashing algorithm resistant to GPU and ASIC attacks.
Webhook Verification
All incoming webhooks are verified using HMAC-SHA256 signatures to prevent tampering and replay attacks.
Access Control
Every request is authenticated, scoped, and verified.
OAuth Authentication
Account authentication via Google OAuth with CSRF protection using timing-safe token comparison.
Scoped API Keys
Programmatic access uses project-scoped API keys with configurable expiration. Keys are hashed at rest and never stored in plaintext.
Session Management
Server-side session storage with configurable timeouts. Session tokens are encrypted and cookies use httpOnly, Secure, and SameSite flags.
Role-Based Access Control
Fine-grained access control ensures users can only access resources they are authorized for.
PKCE Authentication
CLI authentication uses the PKCE (Proof Key for Code Exchange) flow to prevent authorization code interception.
Monitoring & Audit
Full visibility into every action and event across the platform.
Access Audit Logging
All user actions — account creation, logins, permission changes, resource modifications — are logged with timestamps for full auditability.
Request Logging
API requests are logged with automatic 30-day retention, enabling investigation of issues and suspicious activity.
Deployment Tracking
Every build and deployment is tracked through a state machine with full history, timestamps, and status transitions.
Real-Time Log Search
Application logs are ingested in real time and searchable by time range, severity, and request ID.
Data Lifecycle
Clear retention policies and full control over your data.
Automatic Retention Policies
Logs and metrics expire after 90 days. Session tokens and API keys have configurable expiration periods.
Data Backup & Recovery
Automated database backups with point-in-time recovery capabilities ensure your data is protected against loss.
Account Data Deletion
You can request full deletion of your account and associated data at any time.
Organizational Security
Security is a culture, not just a feature.
Security-First Engineering
Founded by a former cloud security reviewer. Our team holds graduate degrees in cybersecurity and follows security-first development practices.
Regular Penetration Testing
The platform undergoes regular third-party penetration testing to proactively identify and remediate vulnerabilities.
Vulnerability Management
We maintain a structured vulnerability management program including dependency scanning, patching cadences, and responsible disclosure.
Incident Response
Documented incident response procedures ensure rapid detection, containment, and communication during security events.
Change Management
All infrastructure and code changes follow a structured review and approval process before reaching production.
Policies and resources
For more information about how we handle your data, review our policies or reach out to our team.