Security

Security at Forestall.

Safeguarding customer data is a fundamental commitment. Our security program is built into every layer of our organization - product, infrastructure, governance, and operations.

  • Encryption in transit and at rest
  • ISO 27001, ISO 27701, and ISO 9001 certified
  • Continuous control monitoring with Vanta
  • Least-privilege, agentless platform design

Compliance and certifications

ISO/IEC 27001:2022

  • Information Security Management System (ISMS)
  • Risk-based controls and continual improvement
  • Independently audited and certified

ISO/IEC 27701

  • Privacy Information Management System (PIMS)
  • Privacy controls aligned to GDPR/KVKK
  • Extension of our ISMS for privacy

ISO 9001

  • Quality Management System (QMS)
  • Documented processes and measurable outcomes
  • Customer-focused continual improvement

How we protect customer data and systems

Data encryption

  • TLS for all data in transit over public networks
  • Encryption at rest for production data stores
  • Encryption key access restricted to authorized personnel
  • No hardcoded secrets - secure secret management

Infrastructure security

  • Hosted on AWS and Microsoft Azure with hardened baselines
  • Production access restricted and continuously monitored
  • Remote access only through approved encrypted connections
  • Anti-malware technology deployed across endpoints

Access control

  • Unique account authentication enforced for all systems
  • Role-based access (RBAC) with separation of duties
  • Least privilege for production and customer environments
  • Enforced password policy and managed device baseline

Secure development lifecycle

  • Formal SDLC with peer code review and change control
  • Dependency management and routine patching
  • Vulnerability and system monitoring procedures established
  • Annual control self-assessments and corrective actions

Incident response

  • Documented security and privacy incident response policies
  • Incidents are logged, tracked, resolved, and communicated
  • Defined customer communication pathway
  • Continuous improvement from post-incident reviews

Business continuity

  • Business Continuity and Disaster Recovery plans in place
  • Backup and recovery procedures for critical systems
  • Communication plans for unavailability of key personnel
  • Documented operational runbooks

Vulnerability management

  • Risk-based prioritization with remediation SLAs
  • Continuous monitoring of production systems
  • Coordinated disclosure-ready posture
  • Findings tracked through resolution

People & governance

  • Code of Conduct acknowledged by all employees
  • Defined management roles and responsibilities
  • Documented information security policies, reviewed annually
  • Risk management program with mitigation strategies

Data handling & privacy

  • Data classification and retention policies established
  • Customer data is purpose-limited to security analysis
  • No customer PII, payment, or health data collected
  • Privacy controls aligned with GDPR and KVKK

Data handling and privacy

What we collect

  • Identity and configuration metadata required for posture assessment
  • Relationship/permission data for exposure and attack-path analysis
  • Reporting outputs generated from analysis
  • No unnecessary personal content collected

How we protect it

  • Purpose limitation: used only for security assessment and reporting
  • Access controls to restrict who can view results
  • Retention: configurable and minimized
  • Sharing: customer-controlled exports
See Privacy Policy →

Continuous control monitoring

Always-on assurance

  • Security controls are continuously monitored with Vanta across infrastructure, organizational, product, internal procedures, and data & privacy domains.
  • Independent audits validate our certifications on an annual basis.
  • Live status of our controls is published on our public Trust Center.
View live controls on Trust Center →

Responsible disclosure

If you believe you've found a security issue, we welcome coordinated disclosure. Our team will respond and provide a secure channel for follow-up.

Security FAQ

Need security documentation for your review?

Access our public Trust Center for live controls, certifications, and downloadable resources.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Security | Company | Forestall