PrivacyForge LogoPrivacyForge

Security Policy

Last Updated: August 1, 2025

At PrivacyForge.ai, operated by Shepard Labs LLC, we are committed to maintaining the highest standards of security and data protection for our AI-powered compliance document generation platform. This policy outlines our comprehensive approach to safeguarding your business information and generated compliance documents.

Core Security Principles

Data Protection Framework

  • Industry-standard encryption protocols protect your data both at rest and in transit
  • Secure processing of business information and compliance requirements
  • Role-based access controls limit data access to authorized personnel only
  • Regular security assessments ensure ongoing protection of our systems
  • Compliance with applicable data protection regulations and industry best practices

Minimal Data Collection

  • We collect only the information necessary to generate your compliance documents as specified in our questionnaire
  • No unnecessary personal or business data is requested or stored
  • Payment information is processed through industry-leading secure payment processors
  • Email addresses are collected solely for document delivery purposes

Data Storage and Infrastructure

Database Security

  • Primary data storage utilizes Neon's managed PostgreSQL service with enterprise-grade security
  • Database infrastructure includes network isolation, access controls, and monitoring
  • Daily automated backups ensure data recovery capabilities
  • Database connections are encrypted and authenticated using industry best practices
  • Access to production databases is restricted to authorized personnel with proper authentication

Document Storage

  • Generated compliance documents are securely stored using Google Cloud Storage
  • All files are encrypted at rest using Google's advanced encryption standards
  • Documents are retained to ensure continued access for our users
  • Storage infrastructure benefits from Google Cloud's enterprise security framework
  • Access controls ensure only authorized systems can retrieve stored documents

Geographic Data Location

  • All data is stored in secure facilities within the US-East region
  • Infrastructure providers maintain SOC 2 and other relevant compliance certifications
  • Data residency complies with applicable jurisdictional requirements

Data Processing and Transmission

Secure Communications

  • All data transmission occurs over encrypted HTTPS connections using TLS 1.3 protocols
  • Modern cipher suites ensure data integrity during transmission
  • HSTS (HTTP Strict Transport Security) is enforced across all services
  • API communications are authenticated and encrypted end-to-end

AI Processing Security

  • Compliance document generation occurs in isolated, secure environments
  • Processing systems are designed to handle sensitive business information appropriately
  • Generated documents maintain the confidentiality of your business practices
  • No cross-contamination between different users' data or documents

Third-Party Services and Integrations

Payment Processing

  • All payment transactions are processed through Stripe, a PCI DSS Level 1 certified payment processor
  • PrivacyForge.ai does not store or process credit card information directly
  • Payment data is handled according to industry-leading security standards
  • Secure tokenization protects payment information throughout the transaction process

Analytics and Monitoring

  • Google Analytics is used to improve service quality and user experience
  • Analytics data collection is anonymized and complies with privacy regulations
  • No personally identifiable information from compliance questionnaires is shared with analytics services
  • Users can opt-out of analytics tracking through standard browser settings

Cloud Infrastructure

  • Backend services are hosted on Google Cloud Platform with enterprise security features
  • Infrastructure benefits from Google's comprehensive security controls and monitoring
  • Regular security updates and patches are applied to maintain system integrity
  • Cloud services are configured according to security best practices

Access Controls and Personnel Security

Data Access Management

  • Access to user data is restricted to authorized personnel only
  • Role-based permissions ensure employees access only data necessary for their responsibilities
  • Multi-factor authentication is required for all administrative access
  • Regular access reviews ensure appropriate permission levels are maintained

Employee Training and Protocols

  • All personnel with data access receive comprehensive security training
  • Background checks are conducted for employees with access to sensitive systems
  • Security protocols are regularly reviewed and updated
  • Incident response procedures are clearly defined and regularly tested

Data Retention and User Rights

Retention Policy

  • Business information and generated documents are retained to ensure continued service availability
  • Data is maintained securely throughout the retention period
  • Retention practices balance user convenience with data minimization principles
  • Regular reviews ensure retention periods remain appropriate and necessary

User Data Rights

  • Users may request deletion of their data by contacting us at hi@privacyforge.ai
  • Data deletion requests are processed within a reasonable timeframe
  • Verification procedures ensure requests are made by authorized individuals
  • Users can request access to their stored information upon request

Document Access

  • Generated compliance documents remain accessible to users via secure delivery methods
  • Document integrity is maintained through secure storage practices
  • Access logs track document retrieval for security monitoring purposes

Incident Response and Business Continuity

Security Incident Management

  • Comprehensive incident response procedures address potential security events
  • 24/7 monitoring systems detect and alert on suspicious activities
  • Incident response team includes technical, legal, and communications personnel
  • Post-incident reviews ensure continuous improvement of security measures

Business Continuity

  • Daily database backups ensure data recovery capabilities
  • Disaster recovery procedures minimize service disruption
  • Regular testing validates backup and recovery processes
  • Geographic distribution of services enhances resilience

Breach Notification

  • Users will be promptly notified of any security incidents affecting their data
  • Notifications include relevant details about the incident and remediation steps
  • Regulatory authorities are notified as required by applicable laws
  • Transparent communication maintains user trust and compliance

Compliance and Legal Framework

Regulatory Compliance

  • Operations comply with applicable U.S. federal and state data protection laws
  • Privacy practices align with the compliance documents we help generate
  • Regular legal reviews ensure ongoing compliance with evolving regulations
  • Industry best practices guide our security implementation

Legal Basis for Processing

  • Data processing is based on legitimate business interests and user consent
  • Processing activities are limited to those necessary for service delivery
  • User rights are respected and facilitated through clear procedures
  • Legal obligations are met through appropriate policies and procedures

Continuous Security Improvement

Security Assessments

  • Regular security reviews evaluate system vulnerabilities and improvements
  • Security measures are updated to address emerging threats
  • Industry best practices are continuously incorporated into our security framework
  • Third-party security expertise supplements internal capabilities when appropriate

Technology Updates

  • Security patches and updates are applied promptly to all systems
  • New technologies are evaluated for security implications before implementation
  • Legacy systems are regularly reviewed and updated as necessary
  • Security architecture evolves with technological advancement

User Security Recommendations

Best Practices for Users

  • Use updated browsers with modern security features when accessing PrivacyForge.ai
  • Protect your email account used for document delivery
  • Review generated documents promptly upon delivery
  • Contact us immediately if you suspect any security concerns

Document Security

  • Store generated compliance documents securely within your organization
  • Implement appropriate access controls for sensitive compliance documentation
  • Regular reviews ensure documents remain current and accurate
  • Backup important compliance documents according to your organization's policies

Contact Information

For security-related inquiries, to report security concerns, or to request data deletion, please contact us at:

Email: hi@privacyforge.ai

We are committed to responding promptly to all security inquiries and maintaining the trust you place in our platform.

Updates to Security Policy

Shepard Labs LLC reserves the right to update this security policy as needed to reflect changes in our practices, technology, or applicable regulations. Material changes will be communicated to users through appropriate channels.

This security policy demonstrates our commitment to protecting your business information while providing the compliance documentation services that help your organization meet its regulatory obligations.