Skip To Main Content

SECURITY

Your data is safe with us

Customer trust comes first. We take the responsibility of helping you manage your customer data seriously.
Compliance certifications and recognitions
Blue caduceus medical symbol with the text HIPAA COMPLIANT.
NIST Cybersecurity Framework text logo.
Circle of twelve yellow stars on blue background with the text GDPR in white capital letters in the center.
Blue circular icon with a white padlock featuring the California state silhouette and the letters CCPA below.

Security at every level of our organization and product development

Compliant with the highest standards
Forethought is independently audited and certified to meet compliance standards for security, availability, and confidentiality. We are compliant with ISO 27001 and certified for SOC 2.
Data encryption and processing
Your data is encrypted at rest and protected by TLS in transit. We manage our production secrets with AWS tools. Our Data Processing Agreement (DPA) reflects the requirements of the GDPR and CCPA.
Rigorous product design
We prioritize compliance with all relevant data protection laws. Our projects undergo security-design reviews, threat models, and regular pen tests with trusted security vendors.
Trained at all levels
Every one of our employees is trained in the latest privacy and security measures. Our engineers receive additional specialized security training.
Integrated oversight
We’ve appointed a dedicated Data Protection Officer to oversee our ongoing compliance efforts and other security-related measures.

Frequently Asked Questions

Is sensitive data (ex: PII, PHI, etc.) captured or stored with Forethought?

Forethought's services operate effectively without requiring personal data. For all data captured, Forethought carefully uses automation to redact sensitive data elements, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial records (such as bank and credit card information), during the ingestion process in a secure environment. Once the redaction process is completed, the original data is securely deleted within 24 hours. While we make every effort to ensure that all sensitive data elements are removed, the redaction mechanisms are provided on a best effort basis. The final data used by Forethought should not contain any sensitive data elements.

Are you FedRAMP compliant?

Forethought is not currently FedRAMP certified; however, our security controls are aligned with NIST 800-53 standards as demonstrated through our annual SOC 2 Type II audits. We operate on AWS infrastructure that maintains FedRAMP Moderate authorization, leveraging a shared responsibility model where AWS provides FedRAMP-compliant physical and infrastructure security while Forethought implements application-level security controls aligned with federal standards.

Forethought's solution is not in scope for FedRAMP authorization based on section 7 of the FedRAMP authorization boundary guidance. This guidance specifies that corporate services are outside of the FedRAMP boundary if they do not contain federal data or unauthorized metadata. For corporate systems processing or storing federal metadata (indirect impact), Forethought owns and operates the system and attests that our security controls meet the requirements outlined in NIST SP 800-171 or at an equivalent security level. Additionally, Forethought de-identifies sensitive data elements and aligns with the de-identification standards from NIST SP 800-188, allowing it to be classified as handling Corporate and Non-Impact Data or Federal metadata/Low and Limited-Impact Data. Therefore, Forethought can be considered outside the authorization boundary per current FedRAMP PMO guidance. Forethought recommends that customers consult with their FedRAMP 3PAO (Third Party Assessment Organization) to obtain formal guidance and confirmation, as the above guidance is based on Forethought's internal interpretation and experience with other customers.

Are you HIPAA Compliant?

Forethought controls and processes are aligned with the HIPAA requirements which can be demonstrated in the HIPAA Audit Report Report on Compliance with The HIPAA Security, Breach Notication, and Privacy Requirements. As required by OCR with all applicable entities (Covered entities and Business Associates) associate should follow the Minimum Necessary Requirements as set forth in 45 CFR 164.502(b), 164.514(d) and not send PHI data to Forethought if not required.

Did we not answer your question?

We have listed of all our questions on this section of the Trust page. You can find more detailed information about Forethought’s architecture, security policies, and other technical information in the documents section.

You can also contact us at support@forethought.ai or reach out to your sales executive or customer success manager.

Our vulnerability disclosure and
reward program

Forethought maintains a private, invite-only bug bounty program, with the assistance of HackerOne. Invited researchers are eligible for a payment. Those who were not invited to the program may still submit a security bug or vulnerability to security+bbp@forethought.ai.

Person wearing glasses working on a computer with programming code displayed on the screen.

Still have more questions about security at Forethought?

We’d love to answer them, feel free to contact us or email us at security@forethought.ai.
Visit Our Trust Center