Security Policy

Foreko is designed in alignment with SOC 2 Type II trust service criteria covering Security, Availability, and Confidentiality. Our controls map to the AICPA Trust Services Criteria and we are pursuing formal SOC 2 Type II certification. We also align with OWASP Top 10 guidance for application security.

• In transit: All data between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS sitewide and reject insecure connections.
• At rest: All database data is encrypted at rest using AES-256 via our cloud provider's managed encryption service.
• Passwords: Never stored in plaintext. Hashed using bcrypt with a cost factor of 12.
• Session tokens: Cryptographically random 256-bit tokens stored as HTTP-only, Secure, SameSite=Lax cookies.

• Two-factor authentication (2FA): Required for all user logins. Codes are delivered via email or SMS, expire in 10 minutes, and are hashed before storage.
• 24-hour 2FA grace period: Verified sessions are trusted for 24 hours before requiring re-verification, reducing friction without weakening security.
• Role-based access control (RBAC): Users only access data within their organization. No cross-tenant data access is possible.
• Session expiry: Sessions expire automatically and are invalidated on logout.
• Brute force protection: Failed login attempts are rate-limited and monitored. Repeated failures trigger account alerts.

Every customer's data — including raw imports, processed records, and machine learning model artifacts — is logically isolated at the database schema level. No customer can access another's data. Individual ML models are built and stored per customer and are never shared or used to inform other customers' outputs.

• Cloud hosting: Infrastructure runs on SOC 2-certified cloud providers with physical security, redundancy, and automated backups.
• Database: Managed PostgreSQL (Neon) with automated backups, point-in-time recovery, and encrypted connections.
• Network: Services run behind firewalls with strict ingress/egress rules. Internal services are not publicly accessible.
• Dependencies: We continuously monitor for known CVEs in our dependency tree and patch critical vulnerabilities promptly.

• All user inputs are validated and parameterized to prevent SQL injection
• Output encoding to prevent cross-site scripting (XSS)
• CSRF protection via SameSite cookie policy
• HTTP security headers enforced (HSTS, CSP, X-Frame-Options, etc.)
• API rate limiting on all endpoints
• Security events (logins, 2FA, password changes, session revocations) are logged and auditable

Foreko maintains continuous monitoring of platform activity including API request rates, authentication events, and error patterns. In the event of a confirmed security incident:

• We will notify affected customers within 72 hours of discovery
• Notification will include the nature of the incident, data affected, and remediation steps taken
• We will cooperate with customers in any regulatory notification requirements

To report a security vulnerability, please email security@foreko.app. We practice responsible disclosure and will acknowledge reports within 2 business days.

Foreko employee access to customer data is strictly limited to what is necessary to deliver support and operate the platform. All employee access is logged, requires MFA, and is reviewed regularly. Employees are trained on data handling and confidentiality as part of onboarding.

We conduct security reviews of all third-party vendors who process customer data. Key vendors include:

• Neon (PostgreSQL): SOC 2 Type II certified database provider
• Stripe: PCI DSS Level 1 certified payment processor
• Vercel: SOC 2 Type II certified deployment platform

Vendor agreements include data processing addenda (DPAs) restricting their use of customer data to service delivery only.

Cookies are small text files stored on your device by your browser. Foreko uses strictly necessary cookies to operate the platform. We do not use advertising, tracking, or analytics cookies within the authenticated application.

All cookies are HTTP-only (not accessible to JavaScript), Secure (HTTPS only in production), and SameSite=Lax (cross-site request forgery protection).

Because all cookies we set are strictly necessary for the platform to function, disabling them will prevent you from logging in or using the service. You can clear cookies at any time through your browser settings, which will log you out of the platform.