Last updated: July 2026
ContractForgeAI is built for government contractors handling sensitive business information, so security isn't an afterthought — it's built into how every product in the suite (Opportunity Forge, RFP Forge, Talent Intel, and Vantage) stores, isolates, and processes your data. This page describes our actual current practices. Where we're still working toward a formal certification rather than holding one today, we say so directly.
Every company's data — proposals, past performance records, candidate information, pipeline data — is isolated at the database level using row-level security policies scoped to your company account. Access is enforced server-side on every request; no client can read or write another company's data by design, not just by convention.
Sensitive files — résumés, proposal documents, past performance records — are stored in private, access-controlled storage and served only through short-lived, per-request signed URLs to authorized users. Only non-sensitive, intentionally public assets (company logos used in embedded branding) are served without authentication.
Every API route authenticates the request from the user's session — never from client-supplied identifiers — and scopes every query to that user's company. Passwords are stored as salted hashes; we never store or transmit them in plain text. All traffic is encrypted in transit via TLS.
Security-relevant events — authentication, membership and role changes, and administrative actions — are recorded in an append-only audit log that cannot be modified or deleted through the application, including by administrators.
We are actively building toward formal SOC 2 Type II attestation. Our data isolation, storage, and audit logging practices above are designed with SOC 2's Trust Services Criteria in mind, but until an independent audit report exists, no certification should be inferred. Similarly, our architecture is designed with NIST SP 800-171 controls in mind for handling Controlled Unclassified Information (CUI); we have not completed a CMMC assessment, and do not represent that we hold a CMMC certification.
If you believe you've found a security vulnerability in the ContractForgeAI platform, please report it to security@contractforgeai.com. We ask that you give us a reasonable opportunity to investigate and address the issue before any public disclosure, and we will not pursue legal action against good-faith security research conducted under this policy.
For security questionnaires, vendor risk assessments, or other security-related questions from your own compliance team, contact security@contractforgeai.com.