Security Overview

Version BETA 1.0 • Last Updated: 2026-05-01

Closed Beta Agreement — This document applies during the beta period. Terms may be updated before public launch.

This overview reflects our current security posture during the closed beta. Practices and controls will continue to mature as we approach public launch.

1. Current Security Controls

We have implemented foundational security measures to protect workspace data during the beta phase:

Encryption in Transit: All communications between clients, our backend, and third-party APIs are encrypted using TLS 1.2 or higher over HTTPS.
Encryption at Rest: Core database volumes are encrypted at the storage level. Highly sensitive credentials, such as BYOK API keys and webhook secrets, are additionally encrypted at the application level using AES-256-GCM.
Access Control: Logical isolation prevents cross-tenant data spillage. Role-Based Access Control (RBAC) is enforced at the database and API layer.
Authentication: Session-based authentication leverages strict, httpOnly cookies and modern password hashing using bcrypt.
Input Validation: All ingress API boundaries strictly validate and sanitize payloads using Zod schemas to prevent injection attacks.
Rate Limiting: Endpoints are protected by rate limiting controls to defend against brute force attempts and automated abuse.

2. AI-Specific Security

Foreman implements orchestration constraints specifically designed for autonomous agent safety:

Request Depth Limits: Infinite loops are prevented by strict delegation depth tracking (maximum delegation depth is enforced).
Sandboxed Tools: Code execution and web extraction tools run in isolated ephemeral environments to prevent lateral network movement.
Tool Calling Guardrails: Integration executions requiring mutating actions (POST/PUT/DELETE) undergo explicit payload validation before hitting external APIs.

3. Pre-Launch Security Roadmap

Planned Before Public Availability

Completion of an independent third-party penetration test
Initiation of formal SOC 2 Type I readiness roadmap
Appointment of a dedicated Data Protection Officer (DPO)
Formalization of the Incident Response and Breach Notification Plan
Implementation of automated point-in-time backup encryption verification

4. Vulnerability Reporting

If you discover a security vulnerability in the Foreman platform during the beta, we ask that you report it to us confidentially at security@foreman.company. Please do not disclose vulnerabilities publicly until we have verified and patched the issue.