Trust center
Infrastructure-grade compliance. Proudly Canadian.
Forismo is designed for teams that handle sensitive communications — including legal professionals. Our security and privacy infrastructure meets Canadian federal and provincial requirements, with a roadmap to full US compliance.
Certifications & compliance
Compliant with Canada's Personal Information Protection and Electronic Documents Act. All 10 fair information principles implemented.
Built-in consent management for commercial electronic messages. Express opt-in, sender identification, and unsubscribe mechanisms.
Compliant with Quebec's privacy law including mandatory Privacy Impact Assessments, data portability, and cross-border adequacy assessments.
AICPA Service Organization Control report covering Security, Availability, and Confidentiality trust service criteria.
Extended observation period audit demonstrating sustained control effectiveness over time.
International standard for information security management systems (ISMS).
Data residency
All customer data is stored in the AWS Canada (Central) region (ca-central-1) via Supabase. Your messages, contacts, files, and conversation metadata never leave Canadian soil for storage.
When AI features are enabled (with explicit consent), message content may be temporarily processed by AI providers in the United States. Data is transmitted via encrypted channels, stripped of unnecessary identifiers, and not retained by AI providers beyond the processing request.
Security measures
- AES-256 encryption at rest for all stored data
- TLS 1.3 (minimum 1.2) for all data in transit
- Per-workspace encryption key isolation
- End-to-end encryption option for privileged channels
- Row-level security (RLS) policies on all data tables
- Branch-scoped participant access control
- Role-based access (founder, member, guest, AI)
- Conversation-level invite authority restrictions
- Immutable audit trail for all actions (communication_events)
- Dedicated compliance audit log for privacy operations
- Real-time monitoring for breach detection
- Exportable logs for regulatory review
- Message immutability with timestamped addenda pattern
- Legal hold capability to prevent deletion during litigation
- Configurable retention policies per data type
- Certified deletion with audit proof
Sub-processor list
The following third-party service providers process personal information on behalf of Forismo. All sub-processors are bound by Data Processing Agreements (DPAs).
| Provider | Purpose | Location | DPA | Certifications |
|---|---|---|---|---|
| Supabase | Database infrastructure, authentication, file storage | Canada (AWS ca-central-1) | Signed | SOC 2 Type II |
| Vercel | Application hosting, edge functions, CDN | Global (edge network) | Signed | SOC 2 Type II |
| Modulate.ai | Voice transcription (Velma STT) | United States | Signed | SOC 2 Type II |
| xAI | Grok AI summaries and server-side semantic analysis | United States | Signed | SOC 2 Type II |
| Twilio | SMS and voice channel delivery via Twilio PSTN | United States | Signed | SOC 2 Type II |
| Resend | Transactional email delivery | United States | Signed | SOC 2 Type II |
Exercise your rights
Under PIPEDA, Quebec Law 25, and CCPA/CPRA, you have the right to access, correct, delete, or port your personal information. Submit a request:
- Through your account settings (Settings > Privacy)
- By emailing privacy@forismo.com
- We acknowledge requests within 48 hours and fulfill within 30 days
Documentation
- Privacy Policy
- Terms of Service
- Security Architecture
- DPA Template (available on request — email legal@forismo.com)
- SOC 2 Report (available under NDA — email security@forismo.com)
Contact
For security inquiries: security@forismo.com
For privacy inquiries: privacy@forismo.com
For legal inquiries: legal@forismo.com