Your code, your data,
your control.
Forma encrypts integration secrets, isolates projects with Row Level Security, scans for exposed credentials before export, and never trains AI on your private content.
Architecture
How security flows through Forma.
Supabase RLS
Row-level security on every table. Users see only their own data.
App Logic
Auth middleware validates every request. Workspace isolation enforced.
Encryption
AES-256-GCM at rest. Secrets masked in UI. Never in client code.
Export Guard
Pre-export secret scan. Warns before credentials leak into code.
Supabase RLS
Row-level security on every table. Users see only their own data.
App Logic
Auth middleware validates every request. Workspace isolation enforced.
Encryption
AES-256-GCM at rest. Secrets masked in UI. Never in client code.
Export Guard
Pre-export secret scan. Warns before credentials leak into code.
Platform security
Secure by design.
Auth & sessions
OAuth via Google and GitHub. Supabase Auth for session management. Workspace-level permission controls.
OAuth 2.0 · Supabase Auth · RBAC
Secret encryption
Integration tokens and API keys encrypted at rest with AES-256-GCM. Masked in UI. Never exposed in client code or logs.
AES-256-GCM · UI masked · Zero log exposure
Row Level Security
Supabase RLS on all project tables. Each user can only access their own projects, data, and integrations.
Supabase RLS · Per-user isolation · Table policies
Secret scanning
Automatic detection of exposed credentials before export or publish. Warns if secrets would leak into generated code.
Pre-export scan · Pattern matching · Block on detect
Rate limiting
API rate limits and auth middleware protect the platform. Mitigation against brute force and abuse patterns.
Rate limiting · Auth middleware · Abuse detection
Infrastructure isolation
Project and workspace-level boundaries. Each project is logically isolated. Multi-tenant architecture with per-tenant data segregation.
Multi-tenant · Logical isolation · Data boundaries
Compliance
Designed for trust.
GDPR-ready design
Architecture aligned with GDPR data protection principles.
DPA available
Data Processing Addendum available for enterprise teams.
Subprocessors listed
Full list of third-party subprocessors publicly documented.
Data export / deletion
Export or permanently delete your data from account settings.
SOC 2 Type II
Assessment on the roadmap for team and enterprise plans.
ISO 27001
Certification planned as part of enterprise readiness.
Your data journey
Full control, start to finish.
Upload
Code and integrations pushed to Forma.
Encrypt
Secrets encrypted before persistence.
Store (RLS)
Row-level security. Isolated per user.
You control
Full ownership. Delete any time.
Export
Clean Dart. No secrets leaked.
Upload
Code and integrations pushed to Forma.
Encrypt
Secrets encrypted before persistence.
Store (RLS)
Row-level security. Isolated per user.
You control
Full ownership. Delete any time.
Export
Clean Dart. No secrets leaked.
Built on trusted infrastructure
FAQ
Security questions.
Responsible disclosure
Found a vulnerability? We respond within 48 hours and follow coordinated disclosure practices.
security@forma.app