Security at Foreman.

Users sign in with their existing Autodesk account. There's no separate Foreman password to create or remember, and we never see one. Your profile (name, email, avatar, job title, company) is pulled from Autodesk on each sign-in.

• Autodesk SSO — Primary login. Passwords never reach our servers
• OAuth 2.1 with PKCE — All API and MCP integrations authenticate via OAuth 2.1 with mandatory Proof Key for Code Exchange
• Two-factor authentication — Enforced for all system administrators using password-based login, via authenticator app (TOTP)
• Passkey support — WebAuthn/FIDO2 for phishing-resistant, passwordless sign-in (fingerprint, Face ID, security key)
• Account lockout — Automatic lockout after 5 failed login attempts with a 15-minute cooldown period

Connections use TLS 1.2 or higher. APS credentials and OAuth tokens get an extra layer of encryption before they hit the database, so a database dump alone won't yield usable secrets.

• TLS encryption — All connections are encrypted via TLS, terminated at the reverse proxy
• Encryption at rest — APS credentials and OAuth tokens are encrypted using the .NET Data Protection API before database storage
• Secure cookies — Session cookies are HTTPS-only, HttpOnly (invisible to JavaScript), and use the SameSite=Lax attribute
• Opaque reference tokens — OAuth access tokens are stored as opaque references in the database, enabling immediate revocation

Three checks gate every request: your role, your tenant, and whether your plan unlocks that feature.

• Role-based policies — User, Admin, and Organization Admin roles with distinct permission boundaries
• Per-project MCP access — Each user explicitly enables which projects are accessible to AI assistants. Only opted-in project data can be returned to the AI provider.
• Per-tool opt-out — Users can disable individual MCP tools to limit what data can be retrieved by AI assistants
• Tenant isolation — Each organization's data is isolated via tenant-scoped access policies
• Subscription gating — Feature access enforced by subscription tier, preventing unauthorized use

Foreman runs on self-managed servers in EU data centres. Databases, file storage, and backups all stay in the EU. The company behind Foreman is IssueLab, registered in England.

• EU-based servers — All infrastructure is hosted in EU data centres, ensuring your data never leaves the European Union
• Self-hosted containers — Application, database, MCP server, and reverse proxy run as isolated Docker containers on dedicated hardware
• PostgreSQL 16 — All queries use parameterized statements, preventing SQL injection
• Reverse proxy — Caddy terminates TLS and enforces trusted forwarded headers from internal networks only
• No third-party cloud storage — No application data is stored in AWS, Azure, GCP, or any other third-party cloud platform
• Rate limiting — Authentication endpoints are rate-limited to 10 requests per minute per IP address

Standard web-app hardening, on top of the framework defaults:

We collect what's needed to run the service and not much else. You can export or delete your personal data from Account Settings at any time.

How your data is handled

• Forma files are never stored — When running QA checks or browsing files from your Autodesk projects, data is streamed from the Autodesk API, processed in memory, and discarded. Your project files are never written to our servers.
• Credentials encrypted at rest — APS client secrets and OAuth refresh tokens are encrypted using the .NET Data Protection API before database storage. Plain-text credentials are never persisted.
• Automatic token cleanup — Expired and revoked OAuth tokens are automatically pruned by a scheduled job
• No third-party data sharing — We do not sell, share, or transfer your data. Outside of AI features (described below), the only external API Foreman communicates with is Autodesk Platform Services, on your behalf and using your own credentials.

AI features & third-party AI providers

Foreman's AI features (the built-in Chat assistant and the MCP server) rely on third-party AI providers. When you use them, your prompts and the related tool responses go to the provider. Worth understanding how that affects your data:

• Data sent to AI providers — When MCP tools are invoked by an AI assistant (e.g. Claude, ChatGPT, Cursor), your prompts and the tool responses — which may include project names, file names, member names, and folder structures — are processed by the AI provider. This data is subject to the AI provider's own data handling and privacy policies, not Foreman's.
• You choose which AI provider to use — Foreman's MCP server is an open standard (OAuth 2.1 authenticated) and does not mandate a specific AI provider. You connect the AI client of your choice and are responsible for reviewing that provider's terms.
• Foreman Assistant — The built-in chat assistant uses Anthropic's Claude API. Conversations are sent to Anthropic for processing. Anthropic's data policies apply to this data in transit and during processing. Conversation history is stored on Foreman's EU servers, not with Anthropic.
• Per-project and per-tool controls — Users explicitly choose which projects and which MCP tools are accessible. No project data is exposed to AI providers unless you opt in.
• Organization-level AI disable — Organization administrators can completely disable AI Chat for all users from Settings > Data & Privacy, ensuring no data is sent to AI providers.

Automatic retention policies

Temporary data is purged automatically. Caps depend on your plan:

Organization administrators can customise retention periods from Settings > Data & Privacy.

Organization admin controls

Organization admins can change the defaults below under Organization > Settings > Data & Privacy.

Your rights

• Personal data export — Download all your personal data at any time from Account Settings, in compliance with GDPR Article 20 (right to data portability)
• Account deletion — Submit a deletion request from your Account Settings (GDPR Article 17, right to erasure). Requests are reviewed to ensure shared data and active projects are handled properly. You'll receive email notification of approval or rejection.
• UK GDPR & EU GDPR compliance — As a UK-based company operating EU infrastructure, Foreman complies with both the UK GDPR and the EU General Data Protection Regulation

For full details, see our Privacy Policy.

What gets logged, and what admins can see:

• System logging — Warning-level and above events are captured to a database-backed audit log with user and tenant context
• MCP tool usage tracking — Every AI tool invocation is recorded with tool name, duration, success/failure, and timestamp
• Access request audit trail — Every submission, approval, rejection, and revocation is logged with timestamps

Found a vulnerability or have a concern about your data? Email us. Acknowledgement and response times are listed below.