ForthClover
Back to home

Security and data handling

How we deploy AI systems inside your own cloud, what controls we build into every engagement, and what we expect from clients in return.

ForthClover LLCLast updated: April 2026Security

Most of the systems we build live inside your cloud account, not ours. That single architectural choice does most of the security work: your existing identity, networking, logging, and certifications already apply to everything we deploy. This page explains the controls we put in place on top of that, the deployment options we support, and what we do when a client sends us a security questionnaire.

ForthClover is not currently SOC 2 or ISO 27001 certified. Because every system we build runs inside your own cloud account, your existing certifications and controls apply to the deployment itself.

Where your data lives

By default, every engagement is deployed in your environment. Concretely, that means:

  • Compute and storage live in your account. We deploy into your AWS, Azure, or GCP account, your VPC or VNet, and your existing IAM perimeter. We do not move your data into ForthClover-controlled infrastructure to do the work.
  • Models run where your data is. When we use managed model providers, we route through your accounts (for example, Bedrock or Azure OpenAI in your tenant) so requests stay inside your cloud’s network and billing envelope.
  • Prompts and completions are not used for training. We do not send your data to model providers under terms that permit training, and we configure providers to opt out of data retention where supported.
  • Access ends with the engagement. When we wrap, we hand over keys, rotate any credentials we held, and remove ourselves from your accounts.

Controls we build in by default

The exact controls depend on what we are building, but the following are baseline expectations for every engagement unless an existing client standard already covers them.

Identity and access

  • SSO via SAML 2.0 or OAuth 2.0 wherever the surface supports it.
  • Integration with your existing directory (Okta, Entra ID, Google Workspace, etc.).
  • Role-based permissions scoped to least privilege.
  • MFA enforcement for any human or service account that touches production.

Audit and logging

  • End-to-end audit trail of administrative actions.
  • Structured logs forwarded to your SIEM or log lake.
  • Real-time alerting for security-relevant events.
  • Retention aligned with your compliance reporting cycle.

Data management

  • Automated retention and deletion policies tied to your records schedule.
  • Right-to-deletion workflows for GDPR / CCPA requests.
  • Data residency control via region pinning.
  • Encrypted backups using your KMS keys.

Environment isolation

  • Private VPC or VNet with no unnecessary public endpoints.
  • Network segmentation between data, compute, and admin tiers.
  • Container and process isolation per workload.
  • Zero-trust patterns between services within the deployment.

API and edge security

  • API key rotation and scoped credentials.
  • Rate limiting and quota enforcement on every external surface.
  • DDoS protection through the cloud provider’s edge services.
  • WAF integration for HTTP-facing systems.

Secure-by-default data flow

Every system we deliver follows the same three-stage treatment for data in motion:

  • Input. TLS 1.3 in transit, schema-level input validation, and sanitization before any prompt is assembled.
  • Processing. Isolated VPC inside your cloud, no persistent retention by default, and structured audit logging on every model call.
  • Output. Output filtering and safety checks, optional PII masking, and access control at the response surface.

All of those flows happen inside your network. Prompts and completions are never used for model training without explicit, written agreement.

Deployment options

We support three deployment shapes for every engagement.

Cloud (default)

Deployed into your own AWS, Azure, or GCP account, behind private endpoints, with auto-scaling tuned to your traffic profile. This is the model most clients pick because it inherits all of their existing cloud controls.

On-premise

Deployed into your data center, with an air-gapped option for environments where outbound calls are not permitted. You retain full control of the runtime; we provide the installation, configuration, and operational documentation.

Hybrid

Sensitive data stays on-premise while compute runs in the cloud, connected by VPN or a dedicated link. Useful when regulatory requirements pin the data but the compute footprint is too large to host internally.

Compliance posture

We design every engagement with the following in mind:

  • SOC 2 best practices. Logging, access control, change management, and incident response patterns line up with the controls SOC 2 auditors look for.
  • HIPAA-aware architecture. We can sign a Business Associate Agreement (BAA) on request when the workload involves protected health information, and we architect accordingly.
  • GDPR-ready. Data residency, right-to-deletion workflows, and processor terms are built into engagements that touch EU personal data.
  • NDA and DPA. Mutual NDA and Data Processing Agreement templates are available on request before scoping calls. We are happy to sign yours.

How we work with clients on security

Vendor security questionnaires, architecture diagrams, and subprocessor lists are part of our standard pre-engagement materials. Typical sequence:

  • We sign your mutual NDA before the first scoping call.
  • We send our standard security overview, deployment-architecture summary, and list of subprocessors used during a typical engagement.
  • We complete your security questionnaire. We aim for a one-business-day turnaround for short questionnaires and five business days for full vendor reviews.
  • We sign a DPA before any personal data flows.

Incident response

If we become aware of a security incident affecting an active engagement — including unauthorized access to a ForthClover account that holds your information, or a compromise of any system we operate on your behalf — we will:

  • Notify your designated security contact as soon as practical and no later than 72 hours after confirmation.
  • Share what we know, what is still being investigated, and what containment actions are underway.
  • Cooperate with your incident-response process, including forensic evidence preservation if requested.
  • Send a written post-incident report once root cause is understood, with a remediation plan and dates.

Reporting a vulnerability

If you believe you have found a security issue with the forthclover.tech website or with software we have published, email hello@forthclover.tech with as much detail as you can share. Please give us a reasonable window to investigate and fix the issue before public disclosure. We will acknowledge receipt within one business day.

Have a security questionnaire?

Email hello@forthclover.tech and we will respond within one business day with our standard security overview, NDA, and DPA templates.