Security Overview

Fora is built with a fundamentally different approach to data handling. We never store the raw content of your emails, documents, or messages.

• Just-in-time retrieval: When you ask a question, we fetch content from your connected services, process it, and discard it immediately after responding.
• Embeddings only: We store vector embeddings (numerical representations) for semantic search, not actual text content.
• Metadata and tasks: We store extracted tasks, timestamps, and thread references—never the underlying message bodies.
• In-memory processing: Source content is streamed for analysis and discarded; no disk writes for raw data.

All data is encrypted at rest and in transit:

• Encryption at rest: AES-256 encryption for all stored data.
• Encryption in transit: TLS 1.2+ enforced on all connections with HSTS headers.
• OAuth token protection: Refresh tokens are encrypted with per-tenant key material and rotated every 90 days.
• Enterprise CMEK: Customer-managed encryption keys available for Enterprise customers requiring crypto segregation.

We implement defense-in-depth access controls:

• OAuth-only authentication: Login exclusively via Google Workspace SSO with limited read-only scopes.
• Role-based access: Workspace roles (Owner, Admin, Member) with least-privilege principles.
• Tenant isolation: PostgreSQL row-level security (RLS) enforced on every tenant-scoped table, ensuring complete data separation.
• No shared access: Fora employees cannot access customer data without explicit permission and audit logging.

Our infrastructure is designed for security and reliability:

• Private VPC: Application runs in isolated VPC with subnet separation between app, data, and analytics planes.
• Infrastructure: Hosted on Hivelocity bare-metal infrastructure with enterprise-grade physical security.
• DDoS protection: Cloudflare edge network for CDN and attack mitigation.
• Private connectivity: VPC peering and Private Service Connect available for enterprise customers.

We use commercial AI providers with strict data handling agreements:

• No training on your data: AI providers (Anthropic, OpenAI) have enterprise agreements prohibiting use of customer data for model training.
• Zero data retention: AI providers do not retain prompts or responses beyond immediate processing.
• Metadata only: We log only metadata (token counts, model used) in our systems, not prompt content.

See our sub-processor list for all third parties that process data.

We maintain comprehensive security monitoring:

• Audit logging: Every retrieval, task mutation, and assistant command logged with user, source, and purpose.
• Anomaly detection: Real-time monitoring for unusual access patterns or data volumes.
• Incident response: 24/7 on-call with documented runbooks and customer notification within 24 hours for material incidents.

We support customer DPIAs and vendor security questionnaires. Contact security@fora.is for security documentation.

To report a security vulnerability or request security documentation: