Skip to main content
A single page for procurement, security teams, and anyone who wants the substrate of how Forepost handles your data, your screen, and the AI calls in between. Each section here is a summary; full detail lives on the linked deep-dive pages.

At a glance

TopicStanceDetail
Data residencyEU-West primary (Cloudflare D1 in London)Privacy & data handling
AuthenticationClerk · RS256 JWT · azp allowlistSecurity model
TransportHTTPS-only · TLS 1.3 · HSTS preloadSecurity model
AI sub-processorAnthropic (Claude) · USPrivacy & data handling
AI input scopeAggregated workspace metrics + your team list · no ticket bodies, no message textPrivacy & data handling
AccessibilityWCAG 2.1 AA · EAA stanceAccessibility
GDPR rightsAccess, rectification, erasure, portability, objectPrivacy & data handling

What Forepost does with your data

Forepost reads what you (or your helpdesk integration) tell it about your support function — eight headline metrics, your team list, your platform — and writes a Daily Brief plus a Weekly Watch. Three categories of data flow through:
  1. Workspace metrics + team list (volume, CSAT, response time, agent names, etc.) → stored in Cloudflare D1, sent to Anthropic to generate the brief prose, surfaced back in your app.
  2. Subscription preferences (email, timezone, Slack webhook) → stored in D1, used by the hourly cron to fire scheduled deliveries.
  3. Authentication data (email, name, session tokens) → handled entirely by Clerk; Forepost stores only your Clerk user ID.
What we explicitly do not store: raw ticket bodies, message text, conversation history (Ask Forepost sessions are in-memory only), or read-receipt / analytics pixels. Full breakdown on Privacy & data handling.

What Forepost sends to Anthropic

When a brief or digest is generated, the system prompt to Anthropic includes:
  • Your eight metric values + deltas
  • Your team list (first names, ticket counts, CSAT, flag state, notes you typed)
  • Your industry + ARR band (for benchmark context)
  • The last week’s queued actions (for follow-through commentary)
It does not include: ticket content, customer PII, raw integration responses, or anything outside the structured fields you’ve entered. Anthropic’s commercial terms govern retention on their side.

Security posture

  • All traffic HTTPS, locked to allowed origins via CORS.
  • Server-side JWT verification on every API call.
  • Workspace data is scoped per Clerk user ID; cross-user access is structurally impossible.
  • Helpdesk integration secrets (OAuth tokens) encrypted at rest with AES-GCM.
  • Per-user rate limits on AI calls and manual sends.
  • All admin actions logged to an append-only audit table.
Full posture, including our position on each OWASP Top 10 category, is on the Security model page.

What’s coming

ItemStatus
SOC 2 Type IIControls in place; audit pending revenue threshold
SAML SSO for EnterpriseRoadmap
In-app account deletion flowRoadmap (manual via email today)
EU Accessibility Act formal complaints procedureBefore EU launch
Automated axe-core / Pa11y in CIPlanned

Talk to us

A Data Processing Agreement (DPA) template is available on request for any B2B customer.