Trust & security

Trust & Security

Last updated 26 June 2026

How we protect the data you and your customers entrust to Forj and Alloy.

EU-hosted (Stockholm)Encrypted in transit & at restRow-level tenant isolationGDPR-alignedDPA on request

Hosting & data residency

Alloy runs on AWS, with primary data hosted in the EU (Stockholm, eu-north-1). Your CRM and pipeline data stays in the EU. Smith's AI reasoning runs on Amazon Bedrock in the EU (Stockholm, eu-north-1), so inference stays in-region.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our infrastructure providers. Secrets and API keys are stored server-side only, never exposed to the browser.

Access control & tenant isolation

Each customer workspace (tenant) is isolated by row-level security (RLS) in the database: a user can only read the projects and records they are entitled to. Administrative writes run through controlled, service-side functions. No customer can see another customer's data.

Sub-processors

We use a small set of vetted sub-processors. Each is bound by its own data-processing terms. The current list:

Sub-processor	Purpose	Region
Amazon Web Services	Hosting, deployment, AI inference (Amazon Bedrock), pricing & data APIs	EU (Stockholm)
HubSpot	CRM sync, only when a customer connects it	per HubSpot
OnePageCRM	CRM sync, only when a customer connects it	per OnePageCRM
Recall.ai	Meeting capture, only when a customer connects it	US

The authoritative, versioned list lives in our DPA & sub-processor list.

Your data rights

Data subjects can request access, correction, or deletion of their personal data. Inside Alloy, contacts and companies can be deleted (erasure) at any time. For formal requests, contact privacy@forj.se. See our Privacy Policy for the full detail.

GDPR alignment

Forj is a Swedish company and builds to GDPR. For business prospecting we rely on legitimate interest (documented), process only business-relevant data, honour data-subject rights, keep a sub-processor list, and offer a Data Processing Agreement to customers. We minimise what we collect and retain.

Certifications

We are GDPR-aligned today. ISO 27001 is on our roadmap. We are not yet certified, and we do not claim certifications we have not earned. This page will be updated as that progresses.

Responsible disclosure

Found a security issue? Email security@forj.se and we will respond promptly. Please give us reasonable time to remediate before any public disclosure.

This page describes our security posture in good faith and is provided for information; it is not a contract. Binding terms are in your agreement and our DPA.