Skip to main content

Security & Compliance

Last Updated: March 21, 2026

At HForgeX, security and privacy are foundational — not afterthoughts. Our Chrome extensions are designed with a local-first, privacy-by-design architecture that minimizes data collection and keeps your content on your device.

This page outlines our security practices, compliance posture, and the technical measures we implement to protect our users and their data.

Security Architecture at a Glance

Local-First Processing

All user content stays on your device. Zero cloud uploads.

Cryptographic License Signing

Ed25519 digital signatures for tamper-proof licenses.

HTTPS Everywhere

TLS encryption for all data in transit.

Minimal Permissions

Each extension requests only what it needs.

1. Data Protection Principles

Our approach to data protection follows core principles:

  • Data Minimization — We collect only what is strictly necessary to deliver the service (license key, email, device code). We do not collect content, browsing history, or usage telemetry from extensions.
  • Purpose Limitation — Data is used only for the purpose for which it was collected: license fulfillment, support, and anonymized analytics.
  • Storage Limitation — Data is retained only as long as necessary. See our Privacy Policy for retention periods.
  • Privacy by Design — Privacy was a design constraint from day one, not a compliance add-on.

2. GDPR Compliance

HForgeX is committed to compliance with the General Data Protection Regulation (EU) 2016/679. Key measures include:

2.1 Lawful Basis for Processing

Every processing activity has a documented legal basis under Article 6 of the GDPR. See our Privacy Policy Section 3 for the complete mapping.

2.2 Data Subject Rights

We fully support GDPR data subject rights: access, rectification, erasure, restriction, portability, and objection. Requests can be submitted to [email protected] and are processed within 30 days.

2.3 Privacy by Design & Default (Article 25)

  • Extensions process all user content locally — no server-side processing.
  • No user accounts required — minimal identity footprint.
  • License verification is offline-first with optional online checks.
  • Analytics use anonymized IP addresses.

2.4 Data Protection Impact Assessment

We have assessed the privacy impact of our license activation system. Given the minimal data processed (email, license key, device UUID), the risk to data subjects is low. No high-risk processing activities have been identified.

2.5 International Data Transfers (Article 46)

Where data is processed by infrastructure providers outside the EEA (Cloudflare, Google), we rely on Standard Contractual Clauses (SCCs) and adequacy decisions to ensure appropriate safeguards.

2.6 Breach Notification (Articles 33 & 34)

Should a personal data breach occur, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay where the breach poses a high risk.

3. CCPA Compliance

For California residents, we comply with the California Consumer Privacy Act (CCPA):

  • We do not sell personal information.
  • We provide the right to know, delete, and opt-out.
  • We do not discriminate against users who exercise their rights.
  • See our Privacy Policy Section 7.2 for full CCPA details.

4. Infrastructure Security

4.1 Hosting & CDN

  • Cloudflare — Website and License API hosted on Cloudflare Pages and Workers with enterprise-grade DDoS protection, WAF, and global CDN.
  • Edge computing — License verification runs on Cloudflare Workers for low-latency, globally distributed processing.

4.2 Encryption

Layer Method
Data in transit TLS 1.2+ (HTTPS enforced everywhere)
License integrity Ed25519 cryptographic signatures
Secrets management Environment variables; never committed to source control

4.3 Access Control

  • Principle of least privilege for all system access.
  • Source code access restricted with branch protection rules.
  • CI/CD pipeline access limited to authorized personnel.
  • Production secrets stored in Cloudflare Workers secrets; never in code.

5. Application Security

5.1 Chrome Extension Security

  • Manifest V3 — All extensions use Chrome's latest security model with service workers and declarative APIs.
  • Minimal permissions — Each extension requests only required permissions, justified in the Chrome Web Store listing.
  • No remote code — Extensions do not load or execute remote code. All logic is bundled at build time.
  • Content Security Policy — Strict CSP headers enforced.
  • No eval() — No dynamic code evaluation in any extension.

5.2 License Verification Security

  • Licenses are cryptographically signed with Ed25519 (public key embedded in the extension).
  • License bundles are verified offline; online checks are supplementary.
  • Device codes are anonymous UUIDs with no personally identifiable information.
  • The License API implements rate limiting and input validation.

5.3 Supply Chain Security

  • Dependencies are pinned and audited regularly.
  • Automated CI pipeline runs linting, testing, and build verification.
  • Third-party libraries are minimized across all extensions.

6. ISO 27001 Alignment

While HForgeX does not currently hold ISO 27001 certification (appropriate for our scale), our security practices are aligned with ISO 27001 Annex A controls:

Control Area Our Practice
A.5 — Information Security Policies Documented security guidelines and threat model
A.8 — Asset Management Classified data assets; minimal data collection
A.9 — Access Control Least privilege, branch protection, secrets management
A.10 — Cryptography Ed25519 license signing, TLS everywhere
A.12 — Operations Security CI/CD pipeline security, dependency audits
A.14 — System Development Secure SDLC, code review, automated testing
A.16 — Incident Management Documented response plan, 72-hour breach notification
A.18 — Compliance GDPR, CCPA, Chrome Web Store policies

7. SOC 2 Alignment

Our practices align with the SOC 2 Trust Service Criteria:

Principle Alignment
Security Encryption, access control, secure development, WAF/DDoS protection
Availability Cloudflare global CDN, offline-first architecture, edge computing
Processing Integrity Cryptographic license verification, automated testing
Confidentiality Minimal data collection, encrypted transit, secrets management
Privacy GDPR/CCPA compliant, privacy by design, no telemetry

8. Chrome Web Store Compliance

  • Privacy Practices — Accurate data use declarations submitted for each extension.
  • Permissions Justification — Each permission justified in the listing with a clear purpose statement.
  • Single Purpose Policy — Each extension serves a single, clearly stated purpose.
  • User Data Policy — Full compliance with the Chrome Web Store Developer Program Policies regarding user data handling, disclosure, and consent.
  • No Remote Code — All extension code is bundled at build time. No remote code execution.

9. Incident Response

In the event of a security incident:

  1. Detection & Triage — Identify scope, impact, and affected systems.
  2. Containment — Isolate affected components to prevent further damage.
  3. Notification — Notify affected users and supervisory authorities within 72 hours (GDPR).
  4. Recovery — Restore services and implement fixes.
  5. Post-Incident Review — Document lessons learned and implement preventive measures.

10. Responsible Disclosure

If you discover a security vulnerability in any HForgeX product, please report it responsibly to [email protected] with:

  • A description of the vulnerability.
  • Steps to reproduce the issue.
  • Potential impact assessment.

We aim to acknowledge reports within 48 hours and resolve confirmed vulnerabilities promptly. We will not take legal action against good-faith security researchers.

11. Contact

For security-related questions or concerns:
Email: [email protected]
Subject Line: [Security] for priority handling

← Perpetual License License Agreement →