Forecastle holds the most sensitive numbers in your business: salaries, margins, forward forecasts. We architect around that. Schema-per-tenant isolation, AES-256 at rest, TLS 1.2+ in transit, full audit trail on every change, and zero AI training on customer data.
Every customer gets a dedicated Postgres schema. A SQL bug in one tenant cannot see another tenant's tables — it's not a column filter, it's a different namespace at the database layer. Most FP&A vendors run shared-schema with a tenant_id column; we don't, on purpose.
TLS 1.2+ on every connection, no plaintext fallback. Postgres-at-rest encrypted with AES-256. OAuth tokens encrypted in the database with a separate key. Backups encrypted with the same standard as production.
We pull from Xero / QuickBooks; we don't write back unless you explicitly enable it. You hold the OAuth token — revoke from inside Xero or QBO any time and we instantly lose access. No "copy of your data forever" problem.
Every change to every cell, every dim mutation, every plan switch, every login is logged with attribution (user, time, before/after value). Surfaced in the app under Settings → Audit. We use this internally and you can too — export for SOX-style review whenever you need it.
Percival (our AI assistant) does not train on customer data. Prompts to model providers (Anthropic) include only the rows needed to answer your question, never your full cube. We have an explicit zero-retention agreement with our model provider.
Percival's system prompt enforces them: no deletes, no schema changes, no cross-tenant access, no plan escalation, no security overrides. When he can't safely resolve something, he escalates to a human — never improvises.
Two companion documents, both branded PDFs, both designed to be attached to procurement's vendor record without further explanation. Drop them on a Trello card, send them to legal, attach them to a Drata / Vanta evidence request — they answer the questions that get asked.
How the Service is architected, encrypted, isolated, audited and retired. The full controls map.
What Forecastle commits to on uptime, support response and incident notification — and what you get back if we miss.
Also at /security/subprocessors/ — the live GDPR Article 28 subprocessor list. Updated when our infrastructure changes; notified to customers 30 days before any addition that handles personal or financial data.
Primary region is US-East (Render / AWS us-east-1). EU-region hosting is available on Advanced for customers with data-residency requirements. Database is managed Postgres with automated daily backups, point-in-time recovery to any minute in the prior 7 days.
Type I attestation is in progress. We do not claim SOC 2 compliance until the report is in hand. Our security posture is built around the SOC 2 Common Criteria today — the report is the third-party validation, not the controls themselves. Happy to share our roadmap and current control set on request.
Yes. Standard GDPR Article 28 template, we sign as Processor. Email security@forecastle.app and we'll send a signed copy within one business day.
Export every sheet, report, and the full cube to Excel from inside the product before you cancel — takes one click per workspace. After cancellation we hold your data for 30 days (in case you reactivate), then it's purged from production and backups within 90 days. Written confirmation of deletion available on request.
Production database access is restricted to the founder. There is no customer-support tier with read access to your cube. When you raise a support issue we ask you to share a specific export or screenshot — we don't browse your data to "look into it" without explicit consent on the ticket.
Annual third-party penetration test against the application and infrastructure. Summary letter available under NDA to prospects evaluating a contract; redacted findings + remediation timeline available without NDA.
Security incident commitment: initial notification to affected customers within 24 hours of confirmed incident, written summary within 72 hours, post-incident review within 14 days. Subscribe to status.getforecastle.com for live availability and incident updates.
For security questions, DPA requests, pen-test summaries, or incident reports:
Responsible disclosure: report vulnerabilities to the same address. We commit to acknowledge within one business day and to keep you informed through remediation. We do not currently run a paid bug bounty but we do publicly credit researchers who report in good faith.