CoreForgeCoreForgeBack to home

Legal

Trust & Security

Last updated: February 17, 2026

CoreForge is the operating layer for international companies, so trust is core to everything we ship. This page summarises how we protect your data, how we operate the service and how to reach our security team.

1. Encryption

  • In transit: TLS 1.2+ on every connection — HSTS preloaded on the apex domain, modern cipher suites only, no fallback to TLS 1.0/1.1.
  • At rest: AES-256 on the database (MongoDB Atlas encrypted disks), AES-256 on Cloudflare storage and Dropbox backup archives.
  • Passwords are stored only as bcrypt hashes — we never see, log or email plaintext credentials.

2. Access control

  • Mandatory 2FA for every platform administrator.
  • Role-Based Access Control (RBAC) with least-privilege defaults — admin, member, chatter, assistant, customer roles isolated at the API layer.
  • Tenant isolation — every record is scoped by tenant; all endpoints enforce the active company claim from the JWT.
  • Brute-force protection — per-IP and per-account rate limits, automatic temporary lockout on consecutive failures.
  • Audit logs — every administrative action is recorded with actor, target, timestamp and IP; retained for 12 months.

3. Operational practices

  • Daily automated backups with off-site copies on Dropbox; restore tested quarterly.
  • RPO < 24 h, RTO < 4 h for production incidents.
  • Change management — every code change goes through peer review and automated lint + test gates before deploy.
  • Dependency monitoring — automated checks for known CVEs on Python and JavaScript dependencies.
  • Cloudflare WAF + Turnstile in front of the public surface (Turnstile dormant until activated by the platform owner).

4. Compliance & certifications

  • GDPR + UK GDPR + Swiss FADP — we offer a Data Processing Addendum aligned with the 2021 SCCs and UK IDTA. Read the DPA.
  • CCPA / CPRA + other US state laws — disclosures and request flow in our Privacy Policy.
  • SOC 2 Type II — roadmap. We will begin the SOC 2 Type II audit window in 2026 Q4 once paid-tier ARR justifies the spend. Until then we publish this Trust page as our self-attestation and answer customer questionnaires individually.
  • Sub-processors are listed publicly at coreforgeapp.com/subprocessors with 30 days advance notice on changes.

5. Incident response

Security incidents are triaged 24/7 by the platform owner. In the event of a confirmed Personal Data breach affecting Customer Data we notify affected customers without undue delay and within 72 hours of becoming aware, in line with Article 33 GDPR and CCPA §1798.150.

Status updates and post-mortems are published via email to the billing contact and, when material, on this page.

6. Responsible disclosure

If you believe you have found a security vulnerability in CoreForge, please report it confidentially to security@coreforgeapp.com. We will acknowledge within 2 business days, work in good faith to validate and remediate, and credit reporters in any public advisory unless they request anonymity.

Please do not: degrade the Service, access data that is not yours, run automated scanners outside of a coordinated window, perform social engineering, or disclose publicly before we have had a reasonable opportunity to fix.

Our machine-readable security policy is available at /.well-known/security.txt.

7. Reporting copyright (DMCA)

We respect the rights of copyright holders. CoreForge is registered with the U.S. Copyright Office's DMCA Designated Agent Directory under registration number DMCA-1074320.

To submit a DMCA notice or a counter-notice please email dmca@coreforgeapp.com with the subject "DMCA Notice" or "DMCA Counter-Notice", including the elements required by 17 U.S.C. § 512(c)(3). Notices that do not comply may be ignored.

Designated Agent for receipt of DMCA notifications:
DMCA Agent · GreinchWW LLC
2106 House Ave Suite 741, Cheyenne, WY 82001, United States
Phone: +1 (307) 316-8257
Email: dmca@coreforgeapp.com
DMCA registry: dmca.copyright.gov / DMCA-1074320

8. Contact

Security: security@coreforgeapp.com
Privacy: privacy@coreforgeapp.com
Legal: legal@coreforgeapp.com

GreinchWW LLC (d/b/a CoreForge)
2106 House Ave STE 741, Cheyenne, WY 82001, United States

We use cookies

We use cookies to keep you signed in, remember your preferences and understand how the site is used. You can accept all, reject all or customise — your choice is stored on this device and you can change it any time from the "Cookie preferences" button. Cookies Policy