security & data isolationnow in beta

Your clients' data, isolated by design.

When you hand an agency tool your clients' files, invoices and messages, the first question is the right one: is this safe? Forge is built so the answer is structural, not a promise. Every agency's data is isolated by default, every tool can reach only its own data, and every secret you connect is encrypted and never shown back - to anyone, including us.

start your first build see how it works

no code · we run the infrastructure · flat monthly pricing

the bottom line

Isolation isn't a setting you switch on. It's how Forge is built - and it's checked on every publish.

the model

Two planes, isolated by design

Forge runs on a two-plane architecture. The control plane is Forge itself - your account, your organization, your settings - where every table carries your organization id and is protected by row-level security with a default-deny policy. You can only ever see your own data.

The runtime plane is the tools we build for you. Each tool runs against its own database schema, reached only by a dedicated least-privilege role - and a deployed tool never holds the keys to the wider database. It can touch its own data and nothing else.

This matters because it means isolation isn't a configuration you, or we, might forget to set. It's the shape of the system. One agency's tool has no path to another agency's data - not by policy, by architecture.

what's guaranteed

The guarantees, in plain English

Per-agency isolation

Every record carries your organization id and is protected by row-level security, default-deny. You see only your data.

Per-tool isolation

Each tool we build runs against its own database schema via a least-privilege role - it can reach its own data and nothing else.

Verified on every publish

Every deploy runs an isolation test and fails closed: if isolation can't be proven, the tool doesn't ship.

Encrypted secrets

Keys you connect are encrypted at rest, stored only as an encrypted reference, and never logged or returned - including to you.

White-label by default

Your logo, your domain. Clients only ever see your agency's brand, never Forge's.

No infrastructure to secure

No servers, databases or dashboards to lock down yourself - we run it, so there's no misconfiguration on your side.

secrets

What happens to a key you connect

You paste it once

Connecting Stripe, email or an integration during setup - the only time the raw value is handled.

It's encrypted immediately

Stored only as an encrypted reference in the control plane - never in plaintext, never in a log.

It's injected, scoped, at deploy

Delivered to your tool as a scoped environment variable - available to that tool, invisible everywhere else.

It's never shown again

Not in the UI, not to support, not to you. Rotating a key means setting a new value, not reading the old one.

the foundation

Built on infrastructure you can check

Forge runs on Vercel and Supabase - platforms that carry their own independent security certifications and are trusted by tens of thousands of companies. We don't ask you to take our word for the foundation underneath.

On top of that foundation, every tool we build passes an automated pipeline before it can go live - a type check, a lint pass, a security review, and an isolation test - and the deploy fails closed if any step doesn't pass. Nothing reaches your clients that hasn't cleared it.

For agencies that need it, fully dedicated single-tenant database isolation is on our roadmap as an upgrade - so you can move from a securely-isolated schema to a dedicated database as you grow.

questions

Frequently asked questions

Is my data isolated from other agencies?

Yes - structurally. Every record carries your organization id and is protected by row-level security with a default-deny policy, and each tool we build runs against its own database schema reached only by a least-privilege role. One agency's data has no path to another's.

Can Forge or another agency see my clients' data?

Each tool is isolated to its own schema, and a deployed tool never holds the keys to reach anything else. Access is brokered so a tool can only touch its own data, and that isolation is verified automatically on every publish.

What happens to the API keys I connect?

They're encrypted at rest the moment you paste them, stored only as an encrypted reference (never plaintext, never logged), and injected into your tool as a scoped environment variable at deploy. They're never shown back - to you, to support, to anyone. To change one, you set a new value.

Do I own my data and my brand?

Yes. Your tools are white-label - clients only ever see your agency's brand, on your domain - and the data is yours. You're never locked out of your own information.

Where is everything hosted?

On Vercel and Supabase - infrastructure that carries its own independent security certifications. You never have to provision, secure or maintain a server yourself, which removes the most common source of misconfiguration.

Is isolation actually enforced, or just intended?

Enforced and checked. Every deploy runs an isolation test and fails closed - if a tool's isolation can't be proven, it doesn't ship. It's part of the automated build pipeline, not a manual step someone has to remember.

go deeper

Guides & playbooks

In-depth guides on getting the most from AI and internal tools in your agency.

ai for agencies guide →client portals guide →

also worth a look

Compare, learn, decide.

forge vs the alternatives →how fame uses forge →agency benchmarks report →security & data isolation →best software roundups →by agency type →

design. build. iterate.

Build on a foundation that's isolated by design.

start your first build see pricing