Forethought's services operate effectively without requiring personal data. For all data captured, Forethought carefully uses automation to redact sensitive data elements, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial records (such as bank and credit card information), during the ingestion process in a secure environment. Once the redaction process is completed, the original data is securely deleted within 24 hours. While we make every effort to ensure that all sensitive data elements are removed, the redaction mechanisms are provided on a best effort basis. The final data used by Forethought should not contain any sensitive data elements.
We are not FedRAMP compliant but have SOC2 audit report with controls aligned with NIST 800-53 Moderate level. In addition the services are built in AWS which is FedRAMP moderate authorized.
Forethought controls and processes are aligned with the HIPAA requirements which can be demonstrated in the HIPAA Audit Report Report on Compliance with The HIPAA Security, Breach Notication, and Privacy Requirements. As required by OCR with all applicable entities (Covered entities and Business Associates) associate should follow the Minimum Necessary Requirements as set forth in 45 CFR 164.502(b), 164.514(d) and not send PHI data to Forethought if not required.
We have list of all our questions on this section of the Trust page. You can find more detailed information about Forethought’s architecture, security policies, and other technical information in the documents section.
You can also contact us at support@forethought.ai or reach out to your sales executive or customer success manager.
Forethought maintains a private, invite-only bug bounty program, with the assistance of HackerOne. Invited researchers are eligible for a payment. Those who were not invited to the program may still submit a security bug or vulnerability to security+bbp@forethought.ai.