Security at every level of our organization and product development.

Compliant with the highest standards
Forethought is independently audited and certified to meet compliance standards for security, availability, and confidentiality. We are compliant with ISO 27001 and certified for SOC 2.
Data encryption and processing
Your data is encrypted at rest and protected by TLS in transit. We manage our production secrets with AWS tools. Our Data Processing Agreement (DPA) reflects the requirements of the GDPR and CCPA.
Rigorous product design
We prioritize compliance with all relevant data protection laws. Our projects undergo security-design reviews, threat models, and regular pen tests with trusted security vendors.
Trained at all levels
Every one of our employees is trained in the latest privacy and security measures. Our engineers receive additional specialized security training.
Integrated oversight
We’ve appointed a dedicated Data Protection Officer to oversee our ongoing compliance efforts and other security-related measures.

Frequently Asked Questions

Is sensitive data (ex: PII, PHI, etc.) captured or stored with Forethought?

Forethought's services operate effectively without requiring personal data. For all data captured, Forethought carefully uses automation to redact sensitive data elements, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial records (such as bank and credit card information), during the ingestion process in a secure environment. Once the redaction process is completed, the original data is securely deleted within 24 hours. While we make every effort to ensure that all sensitive data elements are removed, the redaction mechanisms are provided on a best effort basis. The final data used by Forethought should not contain any sensitive data elements.

Are you FedRAMP compliant?

We are not FedRAMP compliant but have SOC2 audit report with controls aligned with NIST 800-53 Moderate level. In addition the services are built in AWS which is FedRAMP moderate authorized.

Are you HIPAA Compliant?

Forethought controls and processes are aligned with the HIPAA requirements which can be demonstrated in the HIPAA Audit Report Report on Compliance with The HIPAA Security, Breach Notication, and Privacy Requirements. As required by OCR with all applicable entities (Covered entities and Business Associates) associate should follow the Minimum Necessary Requirements as set forth in 45 CFR 164.502(b), 164.514(d) and not send PHI data to Forethought if not required.

Did we not answer your question?

We have list of all our questions on this section of the Trust page. You can find more detailed information about Forethought’s architecture, security policies, and other technical information in the documents section.

You can also contact us at support@forethought.ai or reach out to your sales executive or customer success manager.

Our vulnerability disclosure and
reward program

Forethought maintains a private, invite-only bug bounty program, with the assistance of HackerOne. Invited researchers are eligible for a payment. Those who were not invited to the program may still submit a security bug or vulnerability to security+bbp@forethought.ai.

Still have more questions about security at Forethought?

We’d love to answer them, feel free to contact us or email us at security@forethought.ai.
Visit Our Trust Center