Security Policy

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Forethought takes trust very seriously and has systems and procedures in place to protect access to customer accounts and customer data stored in Forethought’s platform. These technical and organizational measures provide an overview of Forethought’s data security practices and procedures. Forethought has built programs and mechanisms to align with industry standards on security and privacy. A detailed list of the security and privacy controls are described in the SOC2 Type II audit report with mappings to ISO 27001, NIST 800-53 (Moderate level), and GDPR security requirements; this report is available upon request to valid customers.

Architecture

Forethought Platform is built on Amazon Web Services, Inc. (“AWS”).  Forethought has implemented suggested best security practices from AWS and industry standard practices and continues to advance practices to ensure the confidentiality, integrity and availability of customer data.  Information about security and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Website and the AWS Compliance Website.  Details on AWS’s security program can be found at AWS Security Overview

Data Segmentation

Data is logically and securely segregated between all customers in each infrastructure layer using various mechanisms such as unique IDs for each customer to restrict access and processing of data. This functionality has been designed and is robustly tested on an on-going process by Forethought, customers and third-parties.

Redaction of Sensitive Data

For all the data captured, Forethought Platform redacts sensitive data elements such as Personally Identifiable Information (PII), Protected Health Information (PHI), and Financial records (i.e, bank and credit card info) during the ingestion process. Forethought has two redaction mechanisms: (1) First layer uses machine learning techniques to identify sensitive data (2) Second layer uses manual regex rules curated by Forethought on general usage of sensitive data elements. All redaction mechanisms are on a best effort basis.

Web Application Attacks and DDoS

Forethought Platform leverages the AWS platform protection against various kinds of application attacks. Forethought utilizes Cloudflare’s WAF solution  to protect against common and advanced web exploits that could affect Forethought Platform’s availability and security. Services, protocols, and ports are restricted to just allowed services to run the service. In addition Cloudflare is utilized to help prevent DDoS attacks and the Security team continuously monitor traffic to detect anomalies in the traffic behavior to detect attacks not blocked or detected by Cloudflare. 

Intrusion Detection

Forethought reviews logs for security and performance related events. Forethought will continuously monitor the Services for unauthorized intrusions and other malicious activities leveraging industry standard tools. All events and incidents are closed out upon completed review.

Incident Management

Forethought maintains security incident management policies and procedures. In addition procedures and processes are in place to perform forensic analysis of a Security Breach if it were to occur. Breach notification to impacted customers is within 72 hours of Forethought becoming aware of a Security Breach (or sooner if feasible).

Vulnerability Scans

Frequent vulnerability scans are performed. The discovery of any available security issue is logged in a vulnerability management process and remediated as deemed appropriate based on a risk assessment of the vulnerability.

Access Management

Access management controls are enforced to prevent unauthorized access to customer data. Two-factor authentication (2FA) is enabled for all accounts with access to Forethought’s internal systems. Below are some of the controls in place:

  • Each individual shall have a unique identifier (User ID) to log in to the system.
  • Each individual shall be authenticated for accessing the system resource.
  • The User ID shall be de-provisioned within 24 hours of the last working day.
  • Access rights for User IDs shall be restricted to least privileges necessary to perform job responsibilities.

Access to the Forethought system is automatically revoked based on inactivity after a defined timeframe to reduce risk exposure and enforce the policy of least privilege access. In addition, frequent reviews are completed to ensure access is aligned with our least privilege access policy.

Endpoint Security

Forethought user endpoints are managed to follow industry standards on security. In addition, policies and technical mechanisms are in place to restrict access to customer data from only Forethought managed endpoints.

Security Logs

Logs from all systems which provide services to Forethought’s platform are sent to a centralized logging service (for network systems) to enable security reviews and analysis for security events such intrusions and threats. Alerts are correlated and enhanced with threat intelligence from the industry.

Physical Security

Production data centers used for Forethought Platform have access system controls in place. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor access screening, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure. Further information about physical security provided by AWS is available in the AWS Compliance site.

Reliability and Backup

All customer data entered into Forethought’s Services, up to the last committed transaction, are automatically replicated on a near real-time basis at the database layer and are backed up regularly on secure, encrypted, and redundant storage.

Disaster Recovery

Forethought operates Forethought Platform in the AWS Oregon region and maintains reserved instances in the AWS N. Virginia region as a backup for the failure of Oregon. Forethought currently has business continuity and disaster recovery plans with the following target recovery objectives: 

  • Restoration of service within 12 hours (Recovery Time Objective)
  • Maximum customer data loss of 4 hours (Recovery Point Objective)

Forethought’s platform, AWS, utilizes disaster recovery facilities that are geographically diverse from their primary data centers, along with required hardware, software, and Internet connectivity, in the event production facilities at the primary data centers were to be rendered unavailable. AWS has disaster recovery plans in place and tests them at least once per year. The scope of the disaster recovery exercise is to validate the ability to failover a production instance from the primary data center to a secondary data center utilizing developed operational and disaster recovery procedures and

documentation. 

Viruses / Malware Protection

Forethought leverages AWS practices and software to limit the risk of exposure to software viruses, malware and known indicators of compromise. In addition Forethought uses the latest Amazon Machines Images (AMIs) which are hardened against industry standards. The entire system is constructed in an isolated environment and is not a general-purpose computer with new software periodically loaded that may introduce malicious code. In addition Forethought has enabled software composition analysis (SCA) tools to help detect vulnerabilities in our systems. 

Secure Development

Forethought has policies and mechanisms to enable developers to identify security issues (security bugs, third party vulnerabilities, misconfigurations, etc.) in the development process with tools like software composition analysis (SCA) and Static application security testing (SAST). The tools complete automated scans on each change and provide Forethought with information and guidance on how to remediate the issues before deployment. In addition, all changes are peer reviewed for alignment with defined secure software development practices.

Data Encryption

All data in transit is encrypted using TLS and encrypted at rest using the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Endpoint Security

Forethought user endpoints are managed to follow industry standards on security. In addition, policies and technical mechanisms are in place to restrict access to customer data from only Forethought managed endpoints.

Infrastructure as Code

Forethought infrastructure is built using infrastructure as code frameworks to automate the build and scale of the production workload. This framework removes human error from manual configuration and tuning of the infrastructure. All code is scanned and reviewed for security and performance impacts before deployment. Forethought has applied tools to detect drift and misconfiguration in the code configurations. 

Deletion of Customer Data

Upon termination of a customer account for any reason (such as account termination, nonpayment, or customer deletion of the account), Customer Data will be deleted in 1 week upon complete and verified customer request,  data is purged 30 days after acknowledgement of data deletion by Forethought. This process is subject to applicable legal requirements. Customer data include document content and associated metadata. Once data requested to be deleted it is securely deleted in AWS, AWS decommissions media using techniques detailed in NIST 800-88 (Guidelines for Media Sanitization).

Security Assessments

Forethought maintains a bug bounty program to conduct frequent security reviews of application and infrastructure by top security researchers with the objective to identify security bugs or misconfiguration leading to material impact on Forethought’s security controls.

Operational and Security Audits

Forethought completes annual audits against SOC2 and HIPAA security requirements; attestation reports are available upon request to valid customers. The audits test the controlist listed in the report and more. The SOC2 Trust criteria covers the following areas:

  • Security – The system is protected against unauthorized access (both physical and logical).
  • Availability – The system is available for operation and use as committed or agreed.
  • Confidentiality – Information that is designated “confidential” is protected according to applicable agreements.

Think outside the bot.™

Everyone hates traditional chatbots.

See a demo of Forethought today and learn how our Generative AI Platform is driving efficiency and ROI for top support teams.

Request a demo
Decor Half Circle Orange
Call to action decor Call to action decor