🔐 Security

Your Data Is Safe With CostForge

We take the security of your business data seriously. Here's exactly what we do to protect it.

At CostForge, we understand that your client list, quotes, and business data represent years of hard work. We've built our infrastructure and processes with security at the core — and we document exactly what we do so you can make an informed decision.

1. Data Hosting & Infrastructure

CostForge is hosted on secure cloud infrastructure in the EU. Our servers are managed by a reputable cloud provider with physical security, redundant power, and network failover. Data is stored in EU-based data centres, which is particularly important for UK GDPR compliance.

2. Data Encryption

  • All data in transit is encrypted using HTTPS with TLS 1.2 or higher. We do not serve any content over plain HTTP.
  • All data at rest is encrypted using industry-standard AES-256 encryption.
  • Passwords are never stored in plain text. We use bcrypt hashing with a strong work factor.

3. Account Security

  • Secure sign-in with email and password. Passwords are hashed — we never see or store them in plain text.
  • Role-based access control (Owner, Admin, Member) ensures team members only see and do what they need to.
  • Team members can be deactivated immediately from Settings — removing platform access without deleting historical data.
  • We recommend using a strong, unique password for your CostForge account. Two-factor authentication (2FA) is on our roadmap.

4. GDPR & UK Data Protection

  • CostForge operates in full compliance with the UK General Data Protection Regulation (UK GDPR).
  • You, the account holder, are the data controller. CostForge acts as a data processor on your behalf.
  • You have the right to access, rectify, export, or delete your data at any time.
  • A Data Processing Agreement (DPA) is available for Enterprise customers on request.
  • In the event of a data breach, we will notify affected users and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR.

5. Data Ownership

Your data is yours — full stop. CostForge never sells, shares, or monetises your business data. Your client list, your quotes, your jobs — they belong to your business. You can export your data at any time and request full deletion on account closure.

6. Incident Response

We maintain a documented incident response plan. In the event of a confirmed security incident affecting your data: we will notify you by email as soon as practically possible, and we will report the incident to the ICO within 72 hours as required by UK GDPR. We will provide a full summary of the incident, what data was affected, and what remediation steps have been taken.

7. Security Questions

Have a security concern or question? Contact us at

info@costforge.co.uk
with the subject line "Security". We take all security reports seriously and aim to respond within 1 business day.