Last updated: 2026-07-08
Forge uses the following sub-processors to deliver its services. Each sub-processor is required, under their own standard data protection terms, to process personal data only on documented instructions and under appropriate technical and organisational measures. Where a sub-processor supports EU/UK data transfers, we rely on their published Standard Contractual Clauses (SCCs); dedicated Forge-executed DPAs with individual sub-processors are being put in place on a rolling basis and are not yet complete for every vendor listed below.
We will notify you of any new sub-processors or material changes to this list with at least 30 days' notice via email and in-app notification.
| Vendor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Hosted PostgreSQL database, authentication, and file storage | United States (AWS us-east-1) |
| Vercel, Inc. | Application hosting and edge network (Next.js runtime) | United States / Global CDN |
| xAI (X Corp.) | AI language model inference (Grok) for AI Digest, Standup summaries, and Think Tank features | United States |
| Postmark / ActiveCampaign, Inc. | Transactional email delivery (inbound email-to-issue, notifications) | United States |
| Slack Technologies (Salesforce) | Optional Slack bot notifications (per-tenant, opt-in only) | United States |
This is separate from the sub-processor terms above — it's the agreement between your organisation and Forge covering how we process your data. If you need a signed DPA (e.g. for GDPR compliance), email us at privacy@forge.app. We will respond within 5 business days with a standard DPA for review and countersignature.
For GDPR purposes, Forge acts as a Data Processor for customer data and as a Data Controller for account and billing data. Standard Contractual Clauses (SCCs) are available on request for international data transfers.
Questions? Contact privacy@forge.app