Security
Forge is designed for teams that need useful QA findings without giving up unnecessary access or control.
Last updated: May 31, 2026
Use a staging environment, demo workspace, sandbox account, or test build whenever possible. If production testing is required, provide the narrowest access needed for the approved scope.
Temporary test users are preferred. Credentials should be rotated or disabled after the audit is complete.
Forge focuses on the flows, roles, devices, browsers, and risk areas submitted in the booking request. We do not intentionally access unrelated areas of your product.
If a submitted account exposes sensitive administration tools, billing controls, or customer data, we may pause and request safer test access before continuing.
Screenshots and videos are used only when they help explain a defect or risk. We avoid capturing sensitive data unless it is necessary to document the issue.
Reports are written for product and engineering teams, with clear reproduction steps and enough context to support triage without exposing more information than needed.
Temporary accounts should be rotated, disabled, or removed after delivery. If you want access notes removed from active audit records, contact Forge after the report is delivered.
NDA requests can be handled before testing begins when the product or launch details are sensitive.
Do not submit private keys, database credentials, payment credentials, real customer data, or unrestricted administrator access unless specifically required, authorized, and discussed in advance.
If you are unsure what access to provide, send a note in the booking form and Forge can recommend a safer setup before testing begins.
For access concerns, credential removal, or security questions, contact hello@forge-review.com.