Security & Governance

Your data, governed.

Forge Dynamics was built from the ground up for founders who need to trust an AI system with Stripe and GitHub access. Here is exactly what we built, what we tested, and what we can and cannot do.

1018
Automated tests across unit, integration, and adversarial suites
59
Adversarial red team test cases across 8 attack vectors
26
Database tables with row-level security enforced on every one
5
AI agents — only 1 touches financial metrics (deterministic, no LLM)
0
Actions taken without human approval (HITL on every T2 action)
4
LLM providers the system was adversarially tested against
🔒

Access Model

READ-ONLY
Stripe — OAuth read-only access
We access subscription data, invoice statuses, payment events, and dunning metadata. We use OAuth. We never see credit card numbers, bank account details, payment method tokens, or any PCI-regulated data. We cannot initiate charges, issue refunds, or modify any data in your Stripe account.
READ-ONLY
GitHub — OAuth read-only access
We access issue and pull request metadata, repository activity metrics, milestone statuses, and velocity signals. We do not process, store, or transmit source code. Our system is programmatically restricted to issue/PR and activity metadata only.
🚫

What We Cannot Do

  • Initiate charges, refunds, or any write operation in your Stripe account
  • Read credit card numbers, bank account details, or PCI-regulated payment data
  • Modify, create, or delete issues or pull requests in your GitHub repositories
  • Read source code, secrets, or environment variables from your repositories
  • Take any action without your explicit approval (T2 actions require human-in-the-loop)
  • Share your data with other customers — row-level security prevents this at the database layer
  • Use your data to train AI models — Gemini Paid Services only, governed by Google's DPA
  • Access data from other integrations — only Stripe and GitHub are connected
📐

Deterministic Financial Metrics

NO LLM ON FINANCIALS
CFO agent uses pure Python math
MRR, churn, velocity, unit economics, and all financial metrics are calculated using deterministic Python code — not AI. The AI agents interpret the outputs of these calculations. This means your financial numbers are auditable, repeatable, and immune to hallucination.
ATTRIBUTION TIERS
Saved revenue is never inflated
Saved MRR is tracked in three strictly separate tiers — Direct (deterministic event match), Likely (correlated timing), and Operator-Reported (manual). The system has no method to combine these into a single "total saved" number. This is enforced at the schema level by design.
👤

Human-in-the-Loop Governance

HITL
Three-tier action system — T0, T1, T2
T0 (Read-only): Metrics collection, report generation, memory search — no approval required.
T1 (Draft-only): Slack digests, email summaries — staged before delivery, no external write access.
T2 (Write with approval): Any action that modifies external systems requires explicit human approval. The system will never execute a T2 action autonomously.
AUDIT LOG
Every action is logged with trace IDs
Every recommendation, approval, rejection, and system event is recorded in the audit log with trace IDs and run IDs. You can see exactly what the system did, when, and why.
🛡

Adversarial Red Team — 8 Attack Vectors, 59 Tests

Before accepting a single customer's data, we ran 59 adversarial test cases against the system across 8 attack vectors. Every test verifies that a real security invariant holds. A failing test means a real vulnerability.

RT-01 Policy Rule 10 — fake signals attempting to authorize actions ✓ PASS
RT-02 Entity collision — conflicting signals claiming the same entity ✓ PASS
RT-03 Source trust override — third-party signal claiming first-party confidence ✓ PASS
RT-04 ADR-014 violation — world context attempting to override operational memory ✓ PASS
RT-05 Stale signal exploitation — expired TTL signals used as active ✓ PASS
RT-06 Urgent trigger spam — rate limiting under flood conditions ✓ PASS
RT-07 Unconfirmed entity trust — pending entities treated as authoritative ✓ PASS
RT-08 Cross-tenant leakage — tenant A signals visible to tenant B ✓ PASS

Additionally, 6 end-to-end policy integration tests (RT-L01–RT-L06) verify that adversarial signal content cannot bypass confidence floors, escalation rules, or action authorization constraints through the full advisor pipeline.

🗄

Data Isolation — 26 Tables, All with RLS

ROW-LEVEL SECURITY
Every table isolated per customer at the database layer
All 26 tables in the ai_ops schema have row-level security enabled. No customer can access another customer's data through the application or directly through the database. Scoped JWTs are used for all database access — there are no superuser application queries.
ENCRYPTION
Encryption at rest and in transit
All data in transit uses TLS/HTTPS. All data at rest is encrypted in Supabase (AES-256). OAuth tokens for Stripe and GitHub are stored encrypted — we never store raw keys. Passwords are not accepted — we use OAuth exclusively.
🤖

AI Processing — Gemini Paid Services

NO MODEL TRAINING
Google Gemini Paid Services only
All LLM processing uses Google Gemini via Paid Services (not the free tier). Under Google's Paid Services terms, customer data submitted via the API is not used by Google to train or improve their models. Governed by Google's Data Processing Addendum.
DATA MINIMIZATION
Prompts use aggregated metrics, not raw customer records
AI agents receive aggregated operational metrics and memory summaries — not raw Stripe records or GitHub issue contents. We apply pseudonymization where practicable. Vector embeddings are generated from operational summaries and stored in our database.
📦

Data Export & Deletion

YOUR DATA
Export anytime, delete anytime
Your data is yours. Export all memory pages, reports, playbooks, and audit logs at any time via the tenant lifecycle system. After cancellation, you have 30 days to export. Backup copies are purged within 90 days. You can request an immediate hard purge at any time — production data is deleted immediately.
PREVIEW FIRST
Purge dry-run before any irreversible deletion
Before any purge executes, the system generates a full deletion manifest showing exactly how many rows will be deleted across every table. You review and confirm the manifest before the purge can proceed. This is enforced at the application layer — the confirm action is not available until the preview has been reviewed.
🔗

Sub-Processors

Provider Role Location
Supabase Database hosting — all operational data encrypted at rest United States
Google (Gemini) LLM processing — minimized metrics + memory summaries. Paid Services only. United States
Railway Agent execution & compute United States
Vercel Dashboard hosting — static frontend only United States

Security Questions

Questions about our security posture, data handling, or to request a Data Processing Agreement:
privacy@forgedynamicsai.com  ·  legal@forgedynamicsai.com

We respond within 30 days. Enterprise customers may request a negotiated DPA.