This page is the current list of Approved Subprocessors that process Engagement Data, maintained per Forge's Data Processing Agreement §5.2. The descriptions below match the DPA verbatim and are the source of truth referenced by every executed DPA.
| Subprocessor | Service Provided | Location |
|---|---|---|
| Cloudflare, Inc. | Object storage (encrypted at rest) for Engagement Data files | United States |
| Neon Inc. | Managed PostgreSQL database hosting for engagement metadata, findings, and audit log | United States |
| Inngest, Inc. | Durable function execution for engagement orchestration | United States |
| Anthropic, PBC | Large language model API used for generating finding narrative; processed under Anthropic's commercial terms which do not permit use of Client inputs or outputs to train models | United States |
| Upstash, Inc. | Managed Redis service used for rate-limiting and abuse-prevention controls; processes user identifiers and IP addresses but does not process Engagement Data content | United States |
| Resend, Inc. | Transactional email delivery for authentication links and engagement notifications; processes recipient email addresses and message metadata but does not process Engagement Data content | United States |
| Functional Software, Inc. (d/b/a Sentry) | Error monitoring and performance telemetry for the Forge portal; may incidentally process fragments of Engagement Data appearing in unhandled-exception stack traces and request context, with personally identifiable information scrubbed at the SDK layer; configured to operate in Sentry's United States data region | United States |
For clarity, Forge engages other service providers (such as payment processing) that do not process Engagement Data and are therefore not subprocessors under the DPA.
Forge will provide Clients with at least thirty (30) days prior written notice before engaging any new subprocessor or replacing an existing subprocessor that processes Engagement Data. A Client may object to a proposed change by providing written notice to Forge within fifteen (15) days of receiving Forge's notice. The objection process and its consequences are governed by DPA §5.3.
Engagement Data is processed and stored exclusively in the United States. Each subprocessor above is provisioned to operate in a United States region or jurisdiction. Forge does not currently offer data residency commitments outside the United States.
To object to the use of a subprocessor on this list, to request notice of any proposed change, or to receive a copy of any subprocessor's published Data Processing Agreement or third-party security report, contact joel@forgeassessment.com.