Last updated · May 12, 2026

Security

Name: Forigi
Availability: LimitedAvailability

This page is the public-facing version of Forigi’s security commitments — how we handle vulnerability disclosure, how fast we notify customers of an incident, where data lives, and what we aim for in recovery time and recovery point.

Microsoft Verified Publisher. Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on the Microsoft Entra app registration. The blue verified badge appears on the sign-in consent screen — Microsoft has independently confirmed our legal entity and domain ownership.

Reporting a security vulnerability

Email: security@forigi.com (or hello@forigi.comif you don’t get a response within one business day — both reach the engineering on-call).

What to include:affected URL or endpoint, repro steps, your name or handle for credit (or “anonymous” if you prefer), and any PoC artifacts (screenshots, requests, video). Encrypted reports welcome via PGP — request the public key in your initial email.

Coordinated disclosure timeline

Severity	First response	Triage complete	Fix target
Critical RCE, full tenant compromise, mass-data exposure	4 business hours	1 business day	7 days
High Single-tenant data exposure, auth bypass	1 business day	3 business days	14 days
Medium Defense-in-depth gaps, info disclosure	2 business days	5 business days	30 days
Low Best-practice deviations, theoretical risks	5 business days	10 business days	Best-effort

Safe harbor

Forigi will not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, service disruption, and data destruction
Test only their own data, or with explicit permission from the data owner
Give us reasonable time to fix issues before publishing
Don’t access data beyond what’s necessary to demonstrate the issue

We don’t run a paid bug bounty today. Credit in our changelog and a Forigi-branded thank-you are what we offer for v1.

In scope

The platform application (app.forigi.com and per-app subdomains under *.app.forigi.com)
Authentication flows (Microsoft Entra ID via /api/auth/*)
Hosted-app sandboxing and CSP boundaries
Tenant isolation in the Supabase data layer
The platform SDK injected into hosted bundles (/sdk.js)
Per-app Postgres schema isolation (app_<tenant_uuid> schemas)
Sensitive-column encryption (AES-256-GCM with per-tenant scrypt-derived keys)
The MCP OAuth 2.1 surface (/api/mcp/oauth/*) and bundle-to-platform proxy (/api/platform/*)

Out of scope

Third-party dependencies of hosted bundles. Bundles are customer code; the platform’s job is to bound their reach, not validate their contents.
Microsoft Graph itself.
Self-DoS via authenticated rate limits (we publish those numbers; bypass is in scope).
Reports relying on social engineering, physical access, or stolen credentials.
Findings that depend on a compromised Microsoft Entra admin account (the threat model assumes admins are trusted).

Already in place — not findings

If you’re auditing the codebase, the following are tracked, audited, and intentional design choices — not findings:

script-src ‘unsafe-inline’ on hosted apps. Bounded by per-app origin isolation and connect-src ‘self’. Not in scope as a finding on its own.
Service-role Supabase access from API routes. Tenant scoping is enforced in the application layer; RLS is a defense-in-depth backstop.
The 60-second Microsoft-session validation throttle. Configurable per tenant.
Single global MASTER_KEY for connector secrets (per-tenant DEK migration is the documented next step). The key lives in Vercel env vars, not the database — attacker needs both to win.
Native RegExpfor admin-set path patterns (rather than RE2). Bounded by a 2 KB input cap, a save-time ReDoS heuristic, and Vercel’s function timeout. Trust model is admin-only input, not internet-exposed.

Encrypted reports

Forigi’s machine-readable security policy is at /.well-known/security.txt per RFC 9116. PGP-encrypted reports are welcome — request the current public key as the first message at security@forigi.com and we’ll respond with the fingerprint via a separate channel.

Customer breach notification SLA

If Forigi confirms a security incident that affects a tenant’s data or access:

Confirmed event	Notification window	Method
Unauthorized access to tenant data (any volume)	Within 72 hours	Email to tenant administrator(s) + dashboard banner
Unauthorized access to authentication material (session tokens, refresh tokens)	Within 24 hours	Email + forced re-authentication for affected users
Loss of availability (>30 minutes outage)	Within 2 hours	Status page + email if >24h
Data corruption affecting tenant data	Within 24 hours	Email + status page

The 72-hour window aligns with GDPR Article 33 even though Forigi is not EU-directed today — the alignment is intentional so the same notification flow works if and when we expand.

What every notification includes

Date and time the event was confirmed
Scope (which tenants, which users, which data types)
What we know and what we’re still investigating
Containment steps already taken
Remediation timeline
Recommended actions for affected tenants (session re-issuance, credential rotation, audit review)
Direct contact for follow-up questions

Post-incident, we publish a public retrospective for any incident that affected more than one tenant or exposed authentication material — sanitized of customer-identifying details.

Data residency

Forigi’s data infrastructure is US-region for all customer data in v1.

Component	Vendor	Region
Application database	Supabase	United States (US-West region)
Bundle storage	Cloudflare R2	United States (auto-replicated globally; primary in US)
Edge / compute	Vercel	United States
Token cache	Upstash Redis	United States
Email	Resend	United States
Error monitoring	Sentry	United States

What does NOT leave your Microsoft tenant

Your SharePoint and OneDrive files.Forigi reads them on-demand using each viewer’s existing Microsoft permissions; we never copy file contents into our database.
Your Entra directory data.We receive only what’s needed to identify a signed-in user (Object ID, tenant ID, email, display name).
File access tokens.Microsoft access tokens are cached encrypted in Upstash for refresh, but the actual file fetches go directly to Microsoft Graph from Vercel’s compute.

EU/EEA/UK/Switzerland residency is not available today. If you require EU residency, we cannot serve you in v1. We will revisit this as part of EU GA planning. For interim arrangements (case-by-case EU usage with documented risk acceptance), email hello@forigi.com.

Data residency commitments are subject to change with 30 days written notice to tenant administrators. We will not move existing data to a different region without administrator opt-in.

Recovery objectives

Metric	Target
Recovery Point Objective (RPO)	24 hours (Supabase point-in-time recovery covers up to 7 days)
Recovery Time Objective (RTO)	4 hours for restoration to a working state; full data restoration within 24 hours
Availability target (v1)	99.5% measured monthly, excluding scheduled maintenance windows
Scheduled maintenance	Announced 7 days in advance via status page and email

These are targets, not contractual guarantees. v1 customers operate under a best-effort SLA. Paid tiers will introduce contractual SLAs.

Service availability

Status page: status.forigi.com (also reachable at app.forigi.com/status)

When operational metrics deviate from green, the status page is updated within 15 minutes. Planned maintenance is announced at least 7 days in advance via status page and email to tenant administrators. We avoid maintenance during weekday business hours in customers’ primary timezone where possible.

Subprocessors and changes

The complete subprocessor list is in our Privacy Policy. When Forigi adds or changes a subprocessor that handles customer data:

We notify tenant administrators by email at least 30 days before activation
We update the subprocessor list in the Privacy Policy
Tenant administrators may object by emailing hello@forigi.com. If we cannot accommodate the objection, the customer may terminate without penalty.

How to verify these commitments

Microsoft Verified Publisher.Sign in to any Forigi app — the consent screen shows the blue verified-publisher badge with “Knotbook Software Inc.”
Source-code walkthrough. Under MNDA, we screen-share through the actual code that implements auth, isolation, audit, and encryption. Email hello@forigi.com to schedule.
Audit log access.As a tenant administrator, you can export your tenant’s complete audit log as CSV from the dashboard.
Security questionnaire (CAIQ, SIG-Lite, vendor forms). Send yours; we fill in directly with citations.
Signed DPA available on request.

Contact

Security disclosures: security@forigi.com (or hello@forigi.com)
Privacy questions: hello@forigi.com
General contact: hello@forigi.com
Mailing address: Knotbook Software Inc., Ontario, Canada (full address provided on request to verified customers)

Changes to this document

The “Last updated” date at the top reflects the most recent revision. Material changes to security commitments are announced to tenant administrators by email at least 30 days before taking effect. Minor clarifications and additions are published immediately and reflected in the date.

See also: Privacy Policy · Terms of Use