Security & Data Handling

Engineering data is sensitive: drawings, tolerances, and failure analyses describe products before they exist. This page states plainly what ForgePilot stores, what it never stores, who processes it, and how to get your data out. If your procurement team needs something not covered here, write to us.

Never stored

Ad hoc file uploads

Files uploaded for a one-off analysis are processed in memory and discarded after the response. They are never written to disk unless you explicitly save them to a Project.

Model training on your data

Your prompts, files, and results are not used to train AI models. Our AI provider processes API requests without training on them.

Payment card details

We do not currently process payments in-app and never store card numbers.

Stored, encrypted, yours to delete

Account details

Name, email, and authentication data, managed by Clerk. We never see or store your password.

Chats, analyses, and calculator runs

Saved to your account so you can return to them. Delete any thread from the workspace at any time.

Project files you explicitly save

Files you upload to a Project, and reports you save to cloud storage, are kept in a private, access-controlled bucket until you delete them.

Team membership and attribution

For team workspaces: who belongs to the team and who ran each analysis.

How data is protected

In transit: all traffic is encrypted with TLS. There are no unencrypted endpoints.

At rest: stored data lives in Supabase, which encrypts databases and file storage at rest. Project files sit in private buckets that are never publicly accessible.

Access control: every request is authenticated server-side. Plan checks, usage limits, and file access are verified on the server on every call; nothing security-relevant trusts the client.

Team isolation: team workspaces are scoped so members only see their team's projects. Personal projects stay personal even for team members.

Subprocessors

The services that process data on ForgePilot's behalf. Each maintains its own independent security certifications (SOC 2 and/or ISO 27001).

Vercel

Web application hosting and CDN

Railway

API backend hosting

Supabase

Database and file storage (encrypted at rest)

Clerk

Authentication and account management

OpenAI

AI processing of analysis requests via API

Resend

Transactional email delivery

Straight answers for procurement

Certifications: ForgePilot does not yet hold its own SOC 2 or ISO 27001 certification. We are an early-stage company and say so plainly. Our infrastructure providers are certified, and formal certification is on our roadmap as the team grows.

SSO / SAML: available for enterprise deployments on request, through our authentication provider.

Data processing agreement: available on request for team and enterprise customers.

Export or delete your data: email patilavaneesh2@gmail.com from your account address and we will export or permanently delete your data within 30 days. You can also delete individual threads, files, and projects directly in the workspace.

Full details on data collection and your rights are in the privacy policy. How we verify our engineering math is on the validation page.