Security

1. Infrastructure

Foresera uses a split architecture: a static frontend served via Vercel's global CDN, and a dedicated API server hosted on Google Cloud Compute Engine.

• Frontend hosting — The Foresera web application is deployed on Vercel's edge network with automatic HTTPS, DDoS mitigation, and global CDN caching.
• API hosting — Our backend API runs on a dedicated Google Cloud Compute Engine instance in the us-central1 region, managed with PM2 for process supervision and automatic restarts.
• Encryption in transit — All communication between your browser and our servers uses HTTPS with TLS. API requests, form submissions, and file uploads are encrypted in transit. We enforce HSTS headers with a one-year max-age policy.
• Security headers — Our API enforces a strict Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security headers via Helmet.js.

2. Authentication & Access Control

We use industry-standard authentication and enforce role-based access throughout the platform.

• Authentication provider — User authentication is managed by Clerk, a SOC 2 Type II certified authentication provider. We do not store passwords — session verification and multi-factor authentication are handled entirely by Clerk.
• Role-based access — Users are assigned roles (Admin, Editor, Viewer) within their organization. API endpoints enforce role-based access checks before returning data or performing actions.
• Rate limiting — Global rate limiting is applied to all API endpoints (100 requests per minute per IP), with stricter limits on authentication endpoints (20 requests per minute) to prevent brute-force attacks.
• Webhook verification — Incoming webhooks from third-party services (Stripe, Resend, Figmant) are verified using HMAC signatures or provider-specific signature verification before processing.

3. Data Handling

We minimize the data we collect and limit how it flows through our systems.

• Direct-to-storage uploads — PDF documents are uploaded directly to cloud storage via time-limited signed URLs. Your files travel from your browser to storage without passing through our application server.
• Server-side secrets — All API keys and credentials for third-party services are stored as environment variables on the server. They are validated at startup using schema validation (Zod) and are never included in frontend code or client responses.
• Input validation — All API request bodies are validated using Zod schemas before processing. Database queries use parameterized statements via Prisma ORM, preventing SQL injection.
• Activity logging — User actions (uploads, downloads, settings changes, team management) are recorded in an audit log with timestamps and user attribution.

4. Document Security

Document compliance is our core service. We take extra precautions with uploaded files.

• File type validation — Only PDF files are accepted for compliance processing. File type validation occurs before signed upload URLs are issued.
• File size limits — Upload limits are enforced at both the client and server level to prevent abuse and ensure reliable processing.
• Signed URL expiration — Upload URLs are cryptographically signed and expire after a short time window. Expired URLs cannot be reused.
• Processing isolation — Document analysis and remediation is performed by our processing partner (Figmant) in isolated execution environments on Google Cloud Run. Documents are processed individually and do not share resources across users.

5. Your Data Rights

We support your right to access, export, and delete your personal data.

• Data export — You can request a full export of your personal data, including your profile, activity history, and associated documents. Exports are provided as downloadable JSON files.
• Account deletion — You can permanently delete your account and all associated data. This action removes your user profile, organization data (if you are the sole administrator), uploaded documents, and audit history. Activity logs are anonymized to preserve organizational audit trails.
• Data minimization — We only collect information necessary to provide the service: your email, name, and the documents you upload. We do not sell or share your personal data with third parties for marketing purposes.

6. Incident Response

We maintain processes for identifying, responding to, and recovering from security incidents.

• Monitoring — We monitor our infrastructure for unusual activity, error rates, and service degradation using application-level health checks and process monitoring.
• Response process — In the event of a confirmed security incident, we will promptly investigate the scope and impact, take steps to contain and remediate the issue, and notify affected users as required by applicable law.
• Responsible disclosure — If you discover a security vulnerability in our platform, please report it to security@foresera.com. We ask that you give us reasonable time to investigate and address the issue before any public disclosure.

7. Ongoing Commitment

Security is an ongoing effort. We continuously improve our practices as our platform evolves.

• Dependency management — We monitor software dependencies for known vulnerabilities and apply patches in a timely manner.
• CORS policy — API access is restricted to whitelisted origins. Production requests are only accepted from foresera.com and authorized Vercel preview deployments.
• Continuous improvement — We regularly review and update our security practices, infrastructure configurations, and access policies in response to new threats and industry best practices.

Questions about our security practices? Contact us at security@foresera.com.