How we protect the data you and your customers entrust to Forj and Alloy.
Last updated 4 June 2026
Alloy runs on AWS and Supabase with primary data hosted in the EU (eu-north-1 / eu-west-1, Stockholm and Ireland). Your CRM and pipeline data stays in the EU. Some AI processing (Smith's reasoning) currently calls the Anthropic API in the US under Standard Contractual Clauses; we are migrating that to AWS Bedrock in the EU to keep inference in-region.
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our infrastructure providers. Secrets and API keys are stored server-side only, never exposed to the browser.
Each customer workspace (tenant) is isolated by row-level security (RLS) in the database: a user can only read the projects and records they are entitled to. Administrative writes run through controlled, service-side functions. No customer can see another customer's data.
We use a small set of vetted sub-processors. Each is bound by its own data-processing terms. The current list:
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, deployment, pricing/data APIs | EU |
| Supabase | Database, auth, edge functions | EU |
| Anthropic | AI (Smith) reasoning | US (SCCs; EU via Bedrock in progress) |
| HubSpot | CRM sync (only if you connect it) | EU/US per your portal |
| OnePageCRM | CRM sync (only if you connect it) | EU/US per your account |
| Recall.ai | Meeting notetaker (only if you use it) | US (SCCs) |
The authoritative, versioned list lives in our DPA & sub-processor list.
Data subjects can request access, correction, or deletion of their personal data. Inside Alloy, contacts and companies can be deleted (erasure) at any time. For formal requests, contact privacy@forj.se. See our Privacy Policy for the full detail.
Forj is a Swedish company and builds to GDPR. For business prospecting we rely on legitimate interest (documented), process only business-relevant data, honour data-subject rights, keep a sub-processor list, and offer a Data Processing Agreement to customers. We minimise what we collect and retain.
We are GDPR-aligned today. ISO 27001 is on our roadmap. We are not yet certified, and we do not claim certifications we have not earned. This page will be updated as that progresses.
Found a security issue? Email security@forj.se and we will respond promptly. Please give us reasonable time to remediate before any public disclosure.