Skip to content
Stoke Forge
Security

Security at StokeForge

Last updated: March 21, 2025

Your business data is the foundation of your operation. Here's how we protect it.

Our Commitment

Security is not an afterthought at StokeForge — it's built into how we design, develop, and operate every part of the platform. We understand that manufacturers entrust us with sensitive business data: strategic plans, cost structures, supplier relationships, and production details that represent years of operational knowledge.

We treat that trust seriously. Below is an honest, non-marketing description of how we approach security. We will update this page when our practices change.

Infrastructure Security

Cloud Hosting

StokeForge is hosted on industry-leading cloud infrastructure that maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications. Our infrastructure providers operate physically secure data centers with redundant power, networking, and environmental controls.

Network Isolation

Application components run in isolated network environments with strict firewall rules. Access between services follows the principle of least privilege — each component can only communicate with the services it explicitly needs. Public-facing services are fronted by a web application firewall (WAF) and DDoS mitigation layer.

Availability

We deploy across multiple availability zones to reduce the impact of infrastructure failures. Our target uptime is 99.5% per month, as defined in our Service Level Agreement. Scheduled maintenance is performed during off-peak hours with advance notice.

Encryption

Data in Transit

All communication between your browser and our platform is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and redirect any HTTP traffic. API connections require encrypted transport. We use HSTS headers to prevent protocol downgrade attacks.

Data at Rest

All customer data stored in our databases and object storage is encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service with access auditing and automated rotation.

Secrets Management

Application credentials, API keys, and secrets are stored in a dedicated secrets manager — never in source code, environment variable files, or logs. Access to secrets is tightly controlled and audited.

Access Controls

Customer Access

Within your account, you control who has access and at what permission level. Administrators can add and remove users, assign roles, and review access logs. We recommend enabling multi-factor authentication (MFA) for all users, particularly account administrators. MFA is available on all plan tiers.

Employee Access

StokeForge employees follow the principle of least privilege: access to production systems and customer data is granted only when required for a specific operational purpose and is reviewed regularly. All production access is logged. Employees with access to customer data undergo background checks and sign confidentiality agreements.

Authentication

Passwords are hashed using bcrypt with a high work factor — we never store plaintext passwords. We support SSO integration (SAML 2.0) for Pro and Consultant tier subscribers who need centralized identity management.

Monitoring & Logging

We maintain comprehensive logging of:

  • Authentication events (logins, failures, MFA events)
  • Administrative actions within accounts
  • API requests and responses (excluding sensitive body content)
  • Infrastructure events, configuration changes, and deployments
  • Anomalous patterns suggesting unauthorized access or abuse

Logs are retained for a minimum of 90 days and are stored in a separate, isolated environment from production to prevent tampering. Automated alerting notifies our security team of suspicious patterns 24/7.

Incident Response

We maintain a documented incident response plan that is reviewed and tested regularly. In the event of a confirmed security incident affecting your data:

  • We will notify affected customers within 72 hours of confirming the incident — or sooner if required by applicable law
  • Notification will include the nature of the incident, data affected, steps we have taken, and actions we recommend
  • We will provide updates as the investigation progresses until resolution
  • A post-incident summary will be available upon request

Security incidents should be reported to security@stokeforge.com. We treat all reports seriously and will confirm receipt within 24 hours.

Compliance Scope

StokeForge is designed for general commercial manufacturing operations. Our current compliance posture includes:

GDPR / UK GDPR

We operate as a data processor under GDPR. A Data Processing Agreement is available for customers who require it. See our DPA.

CCPA / CPRA

We comply with California privacy requirements. We do not sell personal information. See our Privacy Policy.

SOC 2 (via Infrastructure)

Our cloud infrastructure providers maintain SOC 2 Type II certification. A StokeForge-level SOC 2 audit is on our roadmap.

ITAR / EAR / CMMC

StokeForge is NOT certified or compliant for defense-related export controlled data. See the ITAR Notice below.

HIPAA

StokeForge is not designed or configured as a HIPAA-covered service. Do not upload protected health information.

ITAR & Export Control Notice

StokeForge is NOT ITAR-compliant.

Our platform has not been designed, certified, or assessed for use with data subject to the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Controlled Unclassified Information (CUI) frameworks, or DFARS cybersecurity requirements (including CMMC). Do not use StokeForge to store, transmit, or process defense-controlled technical data, classified information, or export-restricted designs. See our Acceptable Use Policy for details.

Responsible Disclosure

We welcome reports of security vulnerabilities from the security research community. If you discover a potential vulnerability in our platform, please:

  • Email your findings to security@stokeforge.com with a detailed description and reproduction steps
  • Give us reasonable time (at least 90 days) to investigate and remediate before public disclosure
  • Avoid accessing, modifying, or deleting data belonging to other customers during your research
  • Do not perform denial-of-service attacks, phishing, or social engineering as part of your research

We will acknowledge receipt within 24 hours, keep you informed of our progress, and credit you in our acknowledgments (if you'd like) upon resolution. We do not have a formal bug bounty program at this time, but we treat all good-faith reports with respect and appreciation.

Security Contact

Security incidents & vulnerability reports:
security@stokeforge.com

General legal & compliance:
legal@stokeforge.com