ForgedOps Plans Security

All traffic between client devices and the Platform is encrypted in transit using HTTPS over TLS 1.2+ with modern cipher suites. HTTP Strict Transport Security (HSTS) is enabled platform-wide so browsers refuse to fall back to unencrypted HTTP. Pre-signed cloud-storage URLs used to deliver plan PDFs are scoped to short time-to-live windows.

User authentication uses short-lived JWT access tokens delivered as httpOnly, Secure cookies. Refresh tokens are stored as separate httpOnly cookies and rotated on use. Passwords are stored as salted bcrypt hashes; cleartext passwords are never logged. Brute-force protection and lockout thresholds apply to failed login attempts. Failed authentications against non-existent accounts are recorded so administrators can detect credential-stuffing activity.

Every action on the Platform is gated by role. Standard roles include Admin, Project Manager, Superintendent, Field Engineer, Foreman, Owner, and Viewer. Sensitive endpoints (user management, audit, platform administration) require elevated role checks. Module gating (e.g., photos, conflicts) is enforced server-side regardless of the client.

Customer Data is partitioned by tenant_id. Every read, write, and storage operation is filtered against the authenticated user’s tenant. Cross-tenant access is prohibited by API contract and verified by automated regression coverage. Cloud-storage object keys include the tenant identifier so a leaked object key cannot be replayed against a different tenant’s storage prefix.

Every administrative, security-relevant, and data-changing action writes an immutable audit row capturing actor, action, target, IP address, user-agent, severity, success/failure, and a structured metadata payload. The audit log is queryable by tenant administrators and platform staff via the /api/audit endpoint. Retention can extend up to seven (7) years.

Plan PDFs, photos, and exports are stored in an S3-compatible object store (Cloudflare R2) encrypted at rest. Objects are written to tenant-prefixed keys and served to authenticated users via short-lived pre-signed URLs only. Direct anonymous access is denied at the bucket policy layer. Credentials used by the Platform to write storage are stored as environment secrets — never in source control.

The Platform exposes anonymous health endpoints (/api/health, /api/system_health) for liveness, readiness, and database, storage, and email configuration checks. Application errors and latency are continuously observed and alerted to the operations team.

The primary database is backed up on a daily schedule. Backups are retained for ninety (90) days on a rolling window and overwritten thereafter. Object-store contents are versioned where supported. Restore procedures are documented in an internal runbook and exercised on a recurring cadence.

• Production access is limited to authorized engineering personnel under principle of least privilege.
• Secrets are managed as environment variables in the deployment platform — never checked into source control.
• All deployments are reviewed and traceable to a specific source revision.
• Third-party services used by the Platform (email delivery, object storage, identity) are vetted for security posture before integration.
• Security-relevant code paths (authentication, tenant isolation, audit) are covered by automated regression tests.

To report a vulnerability, request a security questionnaire, or ask about our controls, contact:

info@forgedopshq.com