Security

Security Overview

Protecting merchant and customer data is a core requirement at Forloy. We apply layered controls across infrastructure, application logic, and operational processes to reduce risk and keep data secure.

Infrastructure Security

Forloy data is hosted on Supabase (PostgreSQL) with Row Level Security controls. Network traffic is encrypted in transit using TLS, and stored data is encrypted at rest through managed cloud infrastructure.

Authentication and Session Security

We use Supabase Auth for authentication and access control. Session handling and token usage follow secure practices, including controlled lifetimes and protected transport to prevent unauthorized access.

Pass Data Security

Wallet pass data for Apple Wallet and Google Wallet is generated and delivered through authenticated API workflows. Pass updates are signed and transmitted over secure channels, and access to pass management actions is restricted to authorized users and services.

Compliance and Privacy Alignment

Our security program is aligned with established best practices and is evolving toward formal controls commonly expected in frameworks such as SOC 2. We also design our data handling with GDPR principles in mind, including purpose limitation and data minimization.

Responsible Disclosure

If you identify a potential vulnerability, please report it to [email protected]. Please include clear reproduction steps and impact details. We review reports promptly and coordinate remediation in good faith.