Trust
How we secure your data
Forkbench is local-first by design. Your code stays on your machine. The list below covers what we do hold, where it lives, and how to tell us about a vulnerability.
What we store
- Account identity: email, optional name, OAuth provider links, hashed password (bcrypt, cost 12). Stored in PostgreSQL.
- Sessions: opaque session tokens, expiration, and the user they belong to. We don't store device fingerprints or location data.
- Subscription state: the provider customer ID, product ID, status, and renewal date. Card numbers and full billing addresses live with our payment provider, never on our servers.
- Mac app device tokens: hashed tokens that bind a paired Mac to your account, plus the device name you chose.
- Operational logs: request lines, error traces, and Sentry events. Scrubbed of email/password/token values before persistence.
What we explicitly do not store: the contents of your repositories, your shell history, your editor state, prompts sent to AI agents, or AI agent responses. Those live on your Mac.
Authentication
- OAuth providers: Google and Apple, when configured. We accept the provider's verified email and never receive your provider password.
- Email + password: passwords are hashed with bcrypt (cost factor 12). We require at least 12 characters with a letter and a number or symbol.
- Sessions: JWT-strategy session cookies, 7-day lifetime,
HttpOnly,Secure, andSameSite=Lax. Cookies are bound to the canonical host viatrustHostbehind our Traefik proxy. - Rate limiting: two-axis limit on the login surface — per-IP and per-email — to throttle credential stuffing.
- Soft-deleted and admin-disabled accounts: can't sign in even with the correct password.
Transport & hosting
- All traffic over TLS 1.2+. HTTPS is enforced at the proxy; plaintext requests are redirected.
- The web app, database, and background workers run on a single dedicated host managed by Coolify. Daily snapshots are kept off-host.
- No data is shared with third parties beyond the explicit integrations listed in our privacy policy.
Vulnerability disclosure
We take security reports seriously and acknowledge every report within one business day.
- Email [email protected] with subject prefix
Security disclosure:. - Include reproduction steps, affected URL or version, and any proof-of-concept code. Please give us reasonable time to fix before publishing.
- We don't operate a paid bug bounty yet. We do credit reporters in the changelog by request.
- Safe harbor: good-faith testing that doesn't degrade service or access customer data will not be pursued legally.
What we don't claim
We don't have SOC 2, ISO 27001, or HIPAA certifications. If your buyer requires those, write to [email protected] — we can talk about timelines and what we currently do that maps to each.
Privacy details
For the legal version — what data we collect, how long we retain it, your rights, and how to delete your account — see our privacy policy.