ProposalForge← Back to home

Last Updated: March 27, 2026

Legal

Security Policy

At ProposalForge, we take the security of your data seriously. This page describes the technical and organizational measures we implement to protect your information, and how you can report potential vulnerabilities.

1. Our Commitment

ProposalForge is committed to protecting the security of your data. We implement industry-standard technical and organizational measures to safeguard the information you entrust to us. This page describes our security practices and how you can report vulnerabilities.

2. Data Encryption

Encryption at Rest

  • AES-256-GCM encryption for third-party integration tokens (QuickBooks, Stripe Connect credentials)
  • Database hosted on Neon PostgreSQL with encryption at rest

Encryption in Transit

  • TLS 1.2+ for all data transmitted between your browser and our servers
  • All database connections require SSL/TLS

Hashing

  • SHA-256 for IP addresses and device fingerprints — raw values are never stored or logged

3. Authentication & Access Control

Authentication Methods

  • Google OAuth 2.0 (delegated to Google's security infrastructure)
  • Passwordless magic link via email (Resend)

Session Management

  • Secure, HTTP-only session cookies via NextAuth
  • CSRF token protection on all authenticated requests
  • No passwords stored — we use token-based authentication exclusively

4. Role-Based Access Control (RBAC)

We enforce a four-tier permission model for organizations:

  • Owner — full control, billing, member management
  • Admin — manage members, all documents
  • Creator — create and manage own documents
  • Viewer — read-only access

All document operations verify user role and organization membership before execution.

5. Fraud Prevention

  • FingerprintJS device fingerprinting detects multi-account abuse on the free tier
  • Fingerprints are hashed (SHA-256) before storage — we never store raw browser fingerprints
  • IP addresses are hashed before storage
  • Admin tools allow blocking suspicious fingerprints with documented reasons
  • Upstash Redis rate limiting prevents automated abuse (1-hour TTL windows)

6. Payment Security

  • All payment processing handled by Stripe (PCI DSS Level 1 certified)
  • Credit card numbers never touch our servers
  • Stripe Connect for invoice payments uses application-level fees with secure OAuth onboarding
  • Webhook payloads verified using cryptographic signatures before processing

7. Infrastructure

  • Hosted on Vercel (SOC 2 Type II compliant)
  • Database on Neon PostgreSQL (managed, encrypted at rest)
  • Rate limiting via Upstash Redis (serverless, encrypted)
  • Email delivery via Resend (TLS encrypted)

All infrastructure services maintain their own security certifications and compliance programs.

8. Third-Party Security

We carefully evaluate all third-party services:

  • Stripe — PCI DSS Level 1
  • Google — SOC 2/3, ISO 27001
  • Anthropic — Enterprise-grade AI security
  • Resend — SOC 2 Type II
  • Neon — SOC 2 Type II
  • Vercel — SOC 2 Type II

9. Data Minimization

  • We collect only what is necessary to provide the Service
  • IP addresses and fingerprints are hashed — raw values discarded
  • Plausible Analytics is cookieless and collects no personal data
  • Rate limit data (Upstash Redis) expires automatically with a 1-hour TTL
  • Integration tokens are encrypted and never returned to client applications

10. Incident Response

In the event of a security incident, our response process includes:

  • Detection and containment within hours
  • Notification to affected users within 72 hours of confirmed breach
  • Investigation and root cause analysis
  • Remediation and prevention measures
  • Post-incident report available to affected parties upon request

See our Data Processing Agreement (DPA) for contractual breach notification commitments.

11. Responsible Disclosure

If you discover a security vulnerability, please report it to legal@forgeproposals.com. Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment

We ask that you:

  • Do not publicly disclose the vulnerability until we have addressed it
  • Do not access or modify other users' data
  • Do not perform denial of service attacks

We commit to:

  • Acknowledging your report within 48 hours
  • Providing regular updates on remediation progress
  • Crediting you (if desired) when the vulnerability is resolved

ProposalForge

Florida, USA

legal@forgeproposals.com

Terms of ServicePrivacy PolicyAll Legal PagesHome