Security
Your receivables data, handled with care.
Forgekite touches invoice amounts, debtor contacts, and payment history. Here is exactly how that data is protected, isolated, and kept out of the wrong classifications — stated honestly, with no badges we haven't earned.
Data encryption
All data is encrypted in transit and at rest. Traffic to Forgekite runs over TLS, and stored data is encrypted on disk by our infrastructure providers.
Payment data
Forgekite never stores credit-card numbers. All card processing and billing is handled by Stripe. When your debtors pay through a Stripe payment link in a reminder, their card details go straight to Stripe — they never pass through or rest in Forgekite.
Database isolation
Forgekite runs on Supabase (Postgres) with row-level security enforced per user. Access policies are applied at the database layer so each account can only read and write its own clients, debtors, and invoices.
White-label sending (first-party follow-up)
Reminders are sent from your domain and sender identity, not from Forgekite's. This keeps your follow-up as first-party AR communication rather than third-party debt collection — which is a deliberate design choice to keep Forgekite out of the FDCPA third-party-collector classification.
Forgekite is first-party AR follow-up software. It is not a third-party debt collector.
TCPA consent gating
Email is always available. SMS escalation only becomes available from Day 14 onward, and only after you attest that the debtor has given prior express written consent to be contacted by text. Forgekite gates SMS behind that attestation so text outreach is not sent without a consent record.
Subprocessors
Forgekite relies on a defined set of infrastructure and delivery providers — hosting, database, payments, email, SMS, AI generation, analytics, and error monitoring. The full, current list is maintained on our subprocessors page.
Responsible disclosure
If you believe you've found a security vulnerability, please report it to security@forgekite.com. Please give us a reasonable window to investigate and remediate before any public disclosure.
Forgekite has not yet completed a formal third-party penetration test, security audit, or compliance certification. We're glad to walk your security team through our current controls — email security@forgekite.com.
Certifications
Forgekite is not currently certified under SOC 2, ISO 27001, HIPAA, or PCI DSS, and we make no such claims. Card data is handled by Stripe (a PCI-compliant processor) so that Forgekite never stores it.
Questions about security?
Reach the security team directly, or read how we handle personal data in our privacy policy.