1. Overview

At Forescribe, we believe security is not a feature — it’s a responsibility.

Our mission is to ensure that every customer interaction, every byte of data, and every digital transaction across our platform is secure, compliant, and reliable.

This Security Policy details the organizational, technical, and operational measures implemented to safeguard customer data. Our controls are designed to meet or exceed global standards such as ISO/IEC 27001, SOC 2 Type II, NIST Cybersecurity Framework, GDPR (EU), DPDP Act (India), and CCPA (U.S.).

We maintain data centers and processing locations in the United States, the United Kingdom, and India, allowing customers to comply with regional data sovereignty requirements.

For related documentation, please refer to our:

• Trust Center
• Data Processing Addendum
• Privacy Policy
• Support Policy

2. Data Protection and Encryption

Encryption Standards

We employ multi-layered encryption to protect data both in transit and at rest:

• In Transit: All communications between users, systems, and APIs use TLS 1.2+ with AES-256 bit encryption and Perfect Forward Secrecy (PFS).
• At Rest: Any sensitive data is encrypted using AES-256, ensuring that sensitive information remains secure even if physical access to storage is compromised.
• Key Management: All encryption keys are managed through secure Key Management Systems (KMS) with automated key rotation, strict access control, and audit logging.

Data Segregation and Residency

• Customer data is logically segregated to ensure isolation and prevent unauthorized cross-access.
• Data residency options are available in U.S., U.K., and India regions. Customers may choose preferred regions for compliance with CCPA, DPDP, GDPR, or other jurisdictional mandates.
• All data transfers comply with applicable international data transfer mechanisms such as Standard Contractual Clauses (SCCs) and DPDP cross-border provisions.

3. Identity and Access Management (IAM)

Forescribe follows a Zero Trust Architecture and enforces the principle of Least Privilege Access.

Access Controls

• Role-Based Access Control (RBAC): Access is defined by user role and operational responsibility.
• Separation of Duties: No individual has end-to-end control over production systems without oversight.
• Access Review: Access rights are reviewed quarterly and revoked immediately upon employee offboarding.

Authentication

• Multi-Factor Authentication (MFA) is mandatory for all privileged users.
• Single Sign-On (SSO) and OAuth2.0 / SAML 2.0 protocols are supported for secure user authentication.
• Session Management: Idle sessions auto-expire; repeated failed logins trigger account locks.

Authentication

All authentication events, access changes, and privilege escalations are logged and continuously monitored.

4. Secure Software Development Lifecycle (SSDLC)

Security is embedded into every step of our engineering process.

Development Practices

• Secure Coding: Developers follow OWASP Top 10 and SANS standards.
• Code Reviews: Every code change undergoes peer review and automated static code analysis.
• Dependency Scanning: Third-party libraries are regularly updated and are automatically scanned for vulnerabilities and license risks.
• Threat Modeling: Conducted during design phase for all new features.

Testing & Validation

• Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools are integrated into CI/CD pipelines.
• Penetration Tests: VAPT tests conducted periodically by certified external security firms. Request our latest VAPT report via email at security@forescribe.ai.
• Secure Deployment: Infrastructure-as-Code templates enforce consistent, secure provisioning.

5. Data Storage, Retention, and Disposal

• Data Storage: Customer data resides in hardened, Tier 4 data centers managed by compliant cloud service providers (AWS, GCP, or Azure).
• Backups: Data is backed up daily, encrypted, and stored across multiple availability zones.
• Retention: Data retention aligns with customer agreements, legal requirements, and the DPDP / GDPR / CCPA Act.
• Disposal: Data deletion follows secure wipe protocols (NIST SP 800-88) ensuring irrecoverability.

6. Compliance and Certifications

Forescribe’s security and privacy posture aligns with global frameworks and emerging regulations:

• ISO/IEC 27001 — Information Security Management
• SOC 2 Type II — Controls for Security, Availability, and Confidentiality (in progress)
• GDPR — EU Data Protection Regulation
• DPDP — IN Digital Personal Data Protection Act
• CCPA — California Consumer Privacy Act
• HIPAA — Health Information Privacy (U.S.)

We conduct annual third-party audits to ensure continued compliance. Detailed compliance artifacts are available at our Trust Center or can be requested at security@forescribe.ai.

7. Monitoring, Incident Response, and Governance

We maintain 24x7x365 proactive monitoring and automated anomaly detection:

• SIEM Integration: Centralized log aggregation and correlation for real-time threat visibility.
• IDS/IPS: Network Intrusion Detection and Prevention Systems flag abnormal patterns.
• Endpoint Protection: All systems use EDR tools with behavioral analytics.
• Alerting & Response: High-severity alerts trigger automated notifications to the on-call SOC team. Logs are retained per compliance requirements and reviewed regularly for suspicious activities.

8. Incident Response and Breach Management

Our Incident Response Plan (IRP) follows NIST SP 800-61 guidelines:

• Detection & Analysis: Events are triaged within defined SLA thresholds.
• Containment: Affected systems are isolated to prevent lateral movement.
• Eradication: Threats are neutralized, and compromised assets reimaged.
• Recovery: Services restored from clean backups.
• Post-Incident Review: Root cause analysis (RCA) and prevention measures are documented.

Customers are notified promptly in compliance with GDPR, CCPA, DPDP, and other regulations.

9. Vendor and Third-Party Risk Management

All vendors undergo comprehensive Security Risk Assessments (SRAs) before integration:

• Vendors must meet SOC 2 / ISO 27001 standards.
• Data Processing Agreements (DPAs) are in place with all subprocessors.
• Regular reassessments ensure continued compliance and security hygiene.

Vendor list and subprocessors are available at Legal and DPA.

10. Employee Security and Training

Human awareness is our first line of defense:

• All employees complete mandatory onboarding and annual security training.
• Role-specific training covers secure coding, phishing awareness, and data handling.
• Strict Confidentiality and Acceptable Use Agreements govern all staff.
• Background verification is mandatory for all full-time and contract hires.

11. Communication and Collaboration Security

All internal and external communications use secure, authenticated channels:

• TLS-encrypted emails, HSTS-enabled web traffic, and data loss prevention (DLP) rules in collaboration tools.
• Access to company systems requires SSO and MFA.
• No confidential information is transmitted over public networks without encryption.

12. Business Continuity and Disaster Recovery

Our BCP and DR frameworks ensure uninterrupted availability:

• Redundant Systems: Deployed across the U.S., U.K., and India for high availability.
• Backup Verification: Weekly restore testing and checksum validation.
• RPO: ≤ 24 hours
• RTO: ≤ 8 hours
• DR Drills: Conducted semi-annually with documented outcomes.

13. Vulnerability Management

Automated and manual vulnerability scans across application, container, and infrastructure layers.

Patches applied on a risk-based schedule:

• Critical: < 24 hours
• High: < 72 hours
• Medium: < 7 days

Verified remediation tracked through our ticketing and SIEM systems.

14. Customer Security Responsibilities

Forescribe provides infrastructure-level security, but customers must:

• Enforce strong password and MFA policies within their organization.
• Manage user roles, permissions, and API access securely.
• Regularly review and update access control lists.
• Report any suspicious activity promptly via Support.

15. Governance, Reviews, and Policy Updates

This policy is reviewed quarterly or after any significant organizational, technical, or regulatory change. Updates are communicated via emails and newsletters.

All questions or reports related to security can be directed to security@forescribe.ai.

References

• Trust Center
• Privacy Policy
• Legal & Data Processing Addendum
• Support Policy
• Terms of Service

“At Forescribe, we see security as the ultimate trust contract. Our customers entrust us with their most valuable data, and we are committed to upholding that trust through transparency, compliance, and innovation.”
— CISO, Forescribe