forigi / security · current as of 2026-07

Safe by architecture, not by promise.

The honest way to evaluate a platform like this is the mechanism, not the badge wall. This page is the mechanism — what apps can and cannot do, how identity flows, what IT controls, and where our compliance work stands.

01RuntimeThe largest vibe-code failure modes are structurally impossible, not merely monitored.

What can a Forigi app actually do?

Very little — on purpose.

App format

Static HTML, CSS, and JavaScript bundles only. No server code executes inside an app — there is no backend for a builder (or a model) to get wrong.

Credentials

Apps hold zero credentials. No API keys, no tokens, no connection strings in bundle code. When researchers scanned 5,600 production vibe-coded apps (Escape.tech, 2025), exposed secrets were among the most common findings — the Forigi format makes them impossible to embed usefully.

Network

Cross-origin requests are blocked by Content Security Policy. Apps talk to Forigi’s constrained SDK and nothing else. External APIs are reachable only through connectors IT has approved, and every call is logged.

Data access

All data access flows through a platform-controlled SDK. Apps request reads and writes; the platform decides, enforces tenant policy, stamps the audit log, and returns only what the signed-in viewer is allowed to see.

Databases

Per-app isolated databases, provisioned from a declared schema. Schema changes are additive-only and staged for review — an app can’t silently drop or rewrite what came before.

02IdentityOne rule, enforced end to end.

How does identity flow through an app?

Viewers see exactly what they already have permission to see — nowhere more.

Sign-in

Microsoft Entra ID SSO on every app. Apps live behind your tenant boundary; a viewer who isn’t signed into your tenant never sees the app at all. No new logins, no shadow accounts.

Propagation

SharePoint and OneDrive reads run as the viewer. Forigi propagates the signed-in identity to the source system, so Microsoft 365 permissions — the ones IT already maintains — are the access control. There is no service account reading tenant data on viewers’ behalf.

Sharing

Sharing is tenant-scoped by default. Builders share apps inside the tenant; anything beyond the boundary is a per-app policy decision that belongs to IT.

Publisher

Microsoft Verified Publisher. Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on the Microsoft Entra app registration — the consent screen your users see is a verified one.

03GovernanceProduct surfaces in the admin console, not support tickets.

What does IT control?

Everything with a blast radius.

Data sources

IT decides which SharePoint and OneDrive sources are exposed to apps at all, and which apps may bind to which sources. Nothing is readable by default.

Kill switch

Any app can be paused or deleted instantly by an admin. Every session revokes immediately and the action lands in the audit log.

Audit

Every read, write, and external call is logged with actor, app, scope, and timestamp. Retention is configurable per tenant to match your compliance baseline. “What data went where, by whom” is a query, not an investigation.

Policy

Per-tenant policy covers the data-source allowlist, per-app source binding, per-app rate limits, audit retention, and bundle-security rules the platform enforces at deploy time.

Pilot scope

The private-beta runtime is deliberately conservative: Microsoft SSO via Entra ID, SharePoint and OneDrive as governed sources with viewer-identity reads only. More Microsoft sources are on the roadmap; each ships with the same policy, audit, and revocation guarantees.

04ComplianceStated plainly, dated, updated as it changes.

Where the paperwork stands.

SOC 2

Type II — in progress

Underway as of July 2026. Control descriptions and current security documentation are available to pilot customers under NDA.

Encryption

Data encrypted at rest; all traffic over TLS. App bundles are integrity-checked at deploy time.

Disclosure

Found a vulnerability? Email hello@forigi.com with details and we’ll respond within two business days. We don’t pursue good-faith researchers.

05QuestionsWhat security reviewers ask first.
Can a Forigi app leak data to an external service?

Not by design. Apps are static HTML and JavaScript served under a strict Content Security Policy that blocks all cross-origin requests. The only way an app reaches an external API is through a connector IT has explicitly approved, and every such call is logged in the audit trail.

Can an app see data its viewer can't?

No. SharePoint and OneDrive reads run as the signed-in viewer — Forigi propagates the viewer's identity to the source system, so existing Microsoft 365 permissions decide what each person sees. Apps never use a service account for tenant data.

What happens when IT kills an app?

The app stops serving immediately: every session is revoked, viewers see a maintenance notice, and the event is written to the audit log. Admins can also pause an app (reversible) instead of deleting it.

Is Forigi SOC 2 compliant?

SOC 2 Type II is in progress as of July 2026. Pilot customers can request our current security documentation and control descriptions under NDA. Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on its Entra app registration.

Where does app data live?

Each app gets its own isolated per-app database, provisioned from a declared schema that IT can review and approve. Tenant file data stays in SharePoint and OneDrive — Forigi reads it at request time as the viewer rather than copying it out. Data is encrypted at rest.

Put your hardest security question to a founder.

Thirty minutes, unscripted. Bring your security architect — the demo includes the audit log and the kill switch, live.

Microsoft verified publisherEntra ID SSO on every appEvery action loggedKill switch on every app