Security at Foreman.

Foreman uses Autodesk identity as the primary authentication method. Users sign in with their existing Autodesk account — no separate passwords to create or manage. Your Autodesk profile, including name, email, avatar, job title, and company, is synced automatically on each sign-in.

• Autodesk SSO — Primary login for all regular users, inheriting Autodesk's enterprise-grade identity security
• OAuth 2.1 with PKCE — All API and MCP integrations authenticate via OAuth 2.1 with mandatory Proof Key for Code Exchange
• Two-factor authentication — Enforced for all system administrators using password-based login, via authenticator app (TOTP)
• Passkey support — WebAuthn/FIDO2 for phishing-resistant, passwordless sign-in (fingerprint, Face ID, security key)
• Account lockout — Automatic lockout after 5 failed login attempts with a 15-minute cooldown period

All data is encrypted both in transit and at rest. We use industry-standard encryption to ensure your project data and credentials are never exposed.

• TLS encryption — All connections are encrypted via TLS, terminated at the reverse proxy
• Encryption at rest — APS credentials and OAuth tokens are encrypted using the .NET Data Protection API before database storage
• Secure cookies — Session cookies are HTTPS-only, HttpOnly (invisible to JavaScript), and use the SameSite=Lax attribute
• Opaque reference tokens — OAuth access tokens are stored as opaque references in the database, enabling immediate revocation

Foreman enforces multiple layers of access control to ensure users can only access what they're authorized to.

• Role-based policies — User, Admin, and Organization Admin roles with distinct permission boundaries
• Per-project MCP access — Each user explicitly enables which projects are accessible to AI assistants. Only opted-in project data can be returned to the AI provider.
• Per-tool opt-out — Users can disable individual MCP tools to limit what data can be retrieved by AI assistants
• Tenant isolation — Each organization's data is isolated via tenant-scoped access policies
• Subscription gating — Feature access enforced by subscription tier, preventing unauthorized use

Foreman runs on dedicated, self-managed infrastructure hosted in the European Union. Our servers are located in EU data centres, and all application data — including databases, file storage, and backups — remains within the EU at all times. Foreman is developed and operated by IssueLab, a company registered in England, United Kingdom.

• EU-based servers — All infrastructure is hosted in EU data centres, ensuring your data never leaves the European Union
• Self-hosted containers — Application, database, MCP server, and reverse proxy run as isolated Docker containers on dedicated hardware
• PostgreSQL 16 — All queries use parameterized statements, preventing SQL injection
• Reverse proxy — Caddy terminates TLS and enforces trusted forwarded headers from internal networks only
• No third-party cloud storage — No application data is stored in AWS, Azure, GCP, or any other third-party cloud platform
• Rate limiting — Authentication endpoints are rate-limited to 10 requests per minute per IP address

Foreman implements defence-in-depth with multiple layers of application-level security controls.

We collect only the data necessary to provide the service, and give you full control over your information. Foreman is designed with data minimisation in mind — we don't store what we don't need.

How your data is handled

• Forma files are never stored — When running QA checks or browsing files from your Autodesk projects, data is streamed from the Autodesk API, processed in memory, and discarded. Your project files are never written to our servers.
• Credentials encrypted at rest — APS client secrets and OAuth refresh tokens are encrypted using the .NET Data Protection API before database storage. Plain-text credentials are never persisted.
• Automatic token cleanup — Expired and revoked OAuth tokens are automatically pruned by a scheduled job
• No third-party data sharing — We do not sell, share, or transfer your data. Outside of AI features (described below), the only external API Foreman communicates with is Autodesk Platform Services, on your behalf and using your own credentials.

AI features & third-party AI providers

Foreman's AI capabilities — including the built-in AI Chat assistant and MCP (Model Context Protocol) tool integration — rely on third-party AI providers to process requests. When you use these features, data is sent to the AI provider to generate a response. It is important to understand how this affects your data.

• Data sent to AI providers — When MCP tools are invoked by an AI assistant (e.g. Claude, ChatGPT, Cursor), your prompts and the tool responses — which may include project names, file names, member names, and folder structures — are processed by the AI provider. This data is subject to the AI provider's own data handling and privacy policies, not Foreman's.
• You choose which AI provider to use — Foreman's MCP server is an open standard (OAuth 2.1 authenticated) and does not mandate a specific AI provider. You connect the AI client of your choice and are responsible for reviewing that provider's terms.
• Foreman Assistant — The built-in chat assistant uses Anthropic's Claude API. Conversations are sent to Anthropic for processing. Anthropic's data policies apply to this data in transit and during processing. Conversation history is stored on Foreman's EU servers, not with Anthropic.
• Per-project and per-tool controls — Users explicitly choose which projects and which MCP tools are accessible. No project data is exposed to AI providers unless you opt in.
• Organization-level AI disable — Organization administrators can completely disable AI Chat for all users from Settings > Data & Privacy, ensuring no data is sent to AI providers.

Automatic retention policies

Foreman automatically purges temporary data based on your subscription tier. These retention periods ensure that exported files, QA check results, and audit snapshots don't accumulate indefinitely.

Organization administrators can customise retention periods from Settings > Data & Privacy.

Organization admin controls

Organization administrators have granular control over how data is handled across their entire organization. These controls are available under Organization > Settings > Data & Privacy.

Your rights

• Personal data export — Download all your personal data at any time from Account Settings, in compliance with GDPR Article 20 (right to data portability)
• Account deletion — Submit a deletion request from your Account Settings (GDPR Article 17, right to erasure). Requests are reviewed to ensure shared data and active projects are handled properly. You'll receive email notification of approval or rejection.
• UK GDPR & EU GDPR compliance — As a UK-based company operating EU infrastructure, Foreman complies with both the UK GDPR and the EU General Data Protection Regulation

For full details, see our Privacy Policy.

Comprehensive logging and audit trails help administrators maintain visibility and accountability.

• System logging — Warning-level and above events are captured to a database-backed audit log with user and tenant context
• MCP tool usage tracking — Every AI tool invocation is recorded with tool name, duration, success/failure, and timestamp
• Access request audit trail — Every submission, approval, rejection, and revocation is logged with timestamps

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately. We take all reports seriously and will respond promptly.