How we protect your data.

Where Pyract Forge stands today

Forge is in pre-pilot stage. The architecture and controls described below are implemented in code; formal third-party attestations (SOC 2, ISO 27001) are on the roadmap and will be pursued in conjunction with our first paying customer. We're transparent about what's done versus planned.

Authentication & identity

• →Password storage: bcrypt with cost factor 10. Plaintext passwords are never stored or logged.
• →Session tokens: JWT-backed sessions via Auth.js v5, signed with a per-tenant secret rotated independently of customer credentials.
• →Enterprise SSO: SAML 2.0 federation supported. Customers using Microsoft Entra ID, Okta, ADFS, or any standards-compliant IdP can plug Forge into their existing identity infrastructure. We do not store passwords for federated users.
• →MFA: Inherited from the customer's IdP when SSO is enabled. Customers using their own AD can enforce existing MFA policies (e.g. Duo, Microsoft Authenticator) without us touching it.
• →Role-based access control: Three roles — technician, payroll, admin — derived from group membership in the customer's directory. Server-side checks on every protected request; the client never holds privileged data it isn't authorized to see.

Encryption

• →In transit: TLS 1.2+ everywhere. HSTS enabled with one-year max-age and includeSubDomains. Certificates issued and rotated automatically via Let's Encrypt.
• →At rest: Database storage uses AES-256 disk encryption provided by the underlying cloud provider. Application-level encryption for credential material (SAP/FSM client secrets, etc.) using authenticated encryption with per-tenant keys.
• →Backups: Encrypted at the same standard as primary storage. Backup keys are managed separately from application secrets.

Hosting & data residency

• →Default region: Canadian customers' data is hosted in Canada (British Columbia region). Multi-region options available for global organizations.
• →Tenant isolation: Logically separated by tenant ID at the database row level, with row-level security policies enforced server-side. Enterprise tier offers dedicated database instances.
• →No third-party trackers: No Google Analytics, Hotjar, or behavioural tracking on the application. The marketing site at forge.pyract.com is self-hosted with no analytics or cookies beyond what your browser sets.

Data handling

• →Data minimization: We collect only what's needed to operate the product — employee identifiers, hours worked, expense totals. We do not collect SINs, banking information, or personal banking data.
• →Data ownership: Customer data remains the customer's property. Forge processes data on behalf of the customer; we do not sell, rent, or use customer data for our own purposes.
• →Data export & deletion: Customers can export their data in standard formats (CSV, Excel, JSON) at any time. On contract termination, customer data is deleted from production within 30 days and from backups within 90 days.
• →Audit log: Every authenticated write and every external system sync is recorded with user, timestamp, IP, and resource. Logs are retained for the duration of the contract.

Subprocessors

We use a small number of trusted subprocessors. The full current list is provided to customers under NDA on request. Notable categories:

• →Cloud infrastructure: Tier-1 cloud provider with SOC 2 Type II and ISO 27001 attestations.
• →Database hosting: Managed Postgres provider with at-rest encryption and point-in-time recovery.
• →Email delivery: Transactional email only — operational notifications, not marketing.

Customers receive 30 days' notice of any subprocessor change.

Backups & recovery

• →Backup frequency: Continuous transaction-log backups with point-in-time recovery to any second within the last 7 days; daily snapshots retained 30 days; monthly archives retained 12 months.
• →RTO target: 4 hours (recovery time objective).
• →RPO target: 1 hour (recovery point objective).
• →Disaster recovery testing: Backup restore is validated quarterly.

Incident response

If we identify a security incident affecting customer data, we will notify the affected customer's designated security contact within 72 hours of confirmation, in line with PIPEDA and GDPR notification timelines. Notifications include the nature of the incident, data involved, mitigation taken, and ongoing remediation steps.

Report a suspected vulnerability or incident at security@pyract.com. We respond to good-faith disclosures within two business days.

Compliance roadmap

• →PIPEDA / GDPR / CCPA: Aligned today. We honour data subject access, correction, portability, and deletion requests via the customer's account or by contacting privacy@pyract.com.
• →SOC 2 Type I: Targeted within 12 months of first paid customer.
• →SOC 2 Type II: Targeted within 24 months of first paid customer.
• →Penetration testing: Third-party annual pen test scheduled for the production environment, alongside SOC 2 prep.

Customer-controlled options

• →Single sign-on: SAML to your IdP — recommended for all customers, included on the Standard tier.
• →IP allowlist: Restrict admin access to corporate IP ranges. Available on Enterprise.
• →Audit log export: Stream audit events to your SIEM via API. Available on Enterprise.
• →Regional hosting: Choose a hosting region for data residency. Available on Enterprise.