Safe by architecture, not by promise.
The honest way to evaluate a platform like this is the mechanism, not the badge wall. This page is the mechanism — what apps can and cannot do, how identity flows, what IT controls, and where our compliance work stands.
What can a Forigi app actually do?
Very little — on purpose.
Static HTML, CSS, and JavaScript bundles only. No server code executes inside an app — there is no backend for a builder (or a model) to get wrong.
Apps hold zero credentials. No API keys, no tokens, no connection strings in bundle code. When researchers scanned 5,600 production vibe-coded apps (Escape.tech, 2025), exposed secrets were among the most common findings — the Forigi format makes them impossible to embed usefully.
Cross-origin requests are blocked by Content Security Policy. Apps talk to Forigi’s constrained SDK and nothing else. External APIs are reachable only through connectors IT has approved, and every call is logged.
All data access flows through a platform-controlled SDK. Apps request reads and writes; the platform decides, enforces tenant policy, stamps the audit log, and returns only what the signed-in viewer is allowed to see.
Per-app isolated databases, provisioned from a declared schema. Schema changes are additive-only and staged for review — an app can’t silently drop or rewrite what came before.
How does identity flow through an app?
Viewers see exactly what they already have permission to see — nowhere more.
Microsoft Entra ID SSO on every app. Apps live behind your tenant boundary; a viewer who isn’t signed into your tenant never sees the app at all. No new logins, no shadow accounts.
SharePoint and OneDrive reads run as the viewer. Forigi propagates the signed-in identity to the source system, so Microsoft 365 permissions — the ones IT already maintains — are the access control. There is no service account reading tenant data on viewers’ behalf.
Sharing is tenant-scoped by default. Builders share apps inside the tenant; anything beyond the boundary is a per-app policy decision that belongs to IT.
Microsoft Verified Publisher. Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on the Microsoft Entra app registration — the consent screen your users see is a verified one.
What does IT control?
Everything with a blast radius.
IT decides which SharePoint and OneDrive sources are exposed to apps at all, and which apps may bind to which sources. Nothing is readable by default.
Any app can be paused or deleted instantly by an admin. Every session revokes immediately and the action lands in the audit log.
Every read, write, and external call is logged with actor, app, scope, and timestamp. Retention is configurable per tenant to match your compliance baseline. “What data went where, by whom” is a query, not an investigation.
Per-tenant policy covers the data-source allowlist, per-app source binding, per-app rate limits, audit retention, and bundle-security rules the platform enforces at deploy time.
The private-beta runtime is deliberately conservative: Microsoft SSO via Entra ID, SharePoint and OneDrive as governed sources with viewer-identity reads only. More Microsoft sources are on the roadmap; each ships with the same policy, audit, and revocation guarantees.
Where the paperwork stands.
Type II — in progress
Underway as of July 2026. Control descriptions and current security documentation are available to pilot customers under NDA.
Data encrypted at rest; all traffic over TLS. App bundles are integrity-checked at deploy time.
Found a vulnerability? Email hello@forigi.com with details and we’ll respond within two business days. We don’t pursue good-faith researchers.
Can a Forigi app leak data to an external service?
Not by design. Apps are static HTML and JavaScript served under a strict Content Security Policy that blocks all cross-origin requests. The only way an app reaches an external API is through a connector IT has explicitly approved, and every such call is logged in the audit trail.
Can an app see data its viewer can't?
No. SharePoint and OneDrive reads run as the signed-in viewer — Forigi propagates the viewer's identity to the source system, so existing Microsoft 365 permissions decide what each person sees. Apps never use a service account for tenant data.
What happens when IT kills an app?
The app stops serving immediately: every session is revoked, viewers see a maintenance notice, and the event is written to the audit log. Admins can also pause an app (reversible) instead of deleting it.
Is Forigi SOC 2 compliant?
SOC 2 Type II is in progress as of July 2026. Pilot customers can request our current security documentation and control descriptions under NDA. Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on its Entra app registration.
Where does app data live?
Each app gets its own isolated per-app database, provisioned from a declared schema that IT can review and approve. Tenant file data stays in SharePoint and OneDrive — Forigi reads it at request time as the viewer rather than copying it out. Data is encrypted at rest.
Put your hardest security question to a founder.
Thirty minutes, unscripted. Bring your security architect — the demo includes the audit log and the kill switch, live.