Data sources
Every record is sourced from licensed providers, public records, partner feeds, or first-party submissions with valid consent. Each field carries provider, license, refresh cadence, and permitted-use metadata.
View the source catalog →Consent management
An append-only consent ledger records every opt-in, opt-out, and jurisdictional rule. Suppressions propagate across destinations within minutes of capture.
Retention & deletion
Customer workspace data is retained per contract. Prospect data is refreshed on a licensed cadence and purged when license, consent, or permitted use lapses. DSAR fulfillment within 30 days.
Security architecture
Encryption in transit (TLS 1.2+) and at rest (AES-256). Least-privilege IAM. Workspace isolation. Hardened cloud baseline. See the Security overview for control families.
Security overview →Subprocessors
We maintain a current list of subprocessors used to deliver the service. Material changes are announced before they take effect.
Privacy requests
Data subject access, deletion, and portability requests are handled by privacy@coreforge.example. Honored regardless of where the request originates.
Compliance posture
GDPR and CCPA aligned. SOC 2 Type I audit in progress (Q3 2026) with Type II observation window through 2027. "SOC 2 ready" means the controls are designed, documented, and operating — but the independent attestation report has not yet been issued. Not used for credit, housing, employment, insurance, or healthcare eligibility decisions.
AI governance
Models are grounded in source-attributed data. We do not train foundation models on customer data. Every AI-drafted output cites the underlying signals and sources.
Incident response
24/7 monitoring with documented runbooks. Material incidents reported to affected customers within 72 hours per contract.
Vulnerability disclosure
Report suspected issues to security@coreforge.example. We commit to acknowledgement within 2 business days and a remediation timeline within 10.