Security

All traffic is served over TLS. Data is encrypted at rest by our infrastructure provider. Credentials are hashed, never stored in plain text.

Every workspace is isolated at the database layer with PostgreSQL row-level security. A query for one customer physically cannot return another customer's rows — isolation is enforced by the database, not just application code.

• ·Least-privilege service roles; admin surfaces are gated separately from customer auth.
• ·Sub-admins get scoped Editor or Viewer access — viewers cannot mutate anything.
• ·Administrative actions are written to an append-only audit log.

Billing runs through Stripe. Card data is handled entirely by Stripe's PCI-DSS Level 1 infrastructure — ChatForge never sees or stores full card numbers.

Found a vulnerability? We appreciate coordinated disclosure. Email security@chatforge.app with details and steps to reproduce, and please give us a reasonable window to remediate before any public disclosure.

We continuously harden the platform and are pursuing SOC 2. Have a security questionnaire or need our DPA? See the Data Processing Agreement.