Your data is
our responsibility.
Full transparency about how Forge Innovations Limited protects, manages, and secures your financial data.
Security
How we protect your data.
Six layers of security built into the foundation, not bolted on after.
ISO 27001 Aligned
Our security practices align with the ISO 27001 framework — covering access control, cryptography, operations security, and secure development.
Mandatory 2FA
Every account requires TOTP-based two-factor authentication. Verification is enforced on new devices and periodically thereafter.
Brute-Force Protection
Accounts are automatically locked after repeated failed login attempts. Admin-only unlock ensures compromised credentials cannot be exploited.
Approval-Based Access
New accounts require manual admin approval before accessing any financial data. No self-service access to sensitive information.
Row-Level Isolation
Every database query is scoped to the authenticated user's organisation using PostgreSQL Row-Level Security policies.
Immutable Audit Trail
All admin actions — user approvals, role changes, data syncs — are recorded in an append-only audit log with timestamps.
Data
What we store. What we don't.
A clear breakdown of the data synced from your accounting software.
Data We Store
- Customer and supplier contacts (name, email)
- Invoices, line items, and payment records
- Bank account names, types, and balance snapshots
- Bank transaction amounts, dates, and categories
- Pay run summaries and employee headcounts
- Expense receipt totals and vendor names
Data We Never Store
- Passwords or bank login credentials
- Raw accounting file exports
- Individual employee salary details
- Credit card or payment card numbers
- Data from other connected apps
Integration Scopes
Read-only. Always.
Forge cannot modify, create, or delete any data in your connected accounts. Here are the exact scopes we request:
| OAuth Scope | Purpose |
|---|---|
| openid profile email | Identify your Xero user account |
| accounting.transactions.read | Read invoices, bills, and credit notes |
| accounting.contacts.read | Read customer and supplier contacts |
| accounting.settings.read | Read organisation settings and chart of accounts |
| accounting.reports.read | Read financial reports (Balance Sheet, P&L) |
| payroll.employees.read | Read employee names, employment types, and start dates |
| payroll.payruns.read | Read pay run totals, net pay, PAYE, and KiwiSaver contributions |
Infrastructure
Sub-processors & certifications.
Third-party services that process data on our behalf.
Data Access & Management
Access to raw data is strictly controlled:
- Only authorised partners of Forge Innovations Limited have access to the platform backend.
- Administrative access requires multi-factor authentication on every session.
- All admin actions (user approvals, role changes, data access) are recorded in an immutable audit log.
- User sign-up notifications are delivered to designated admin email addresses only.
- No third-party analytics, advertising, or tracking services have access to your financial data.
- AI-generated insights are processed in-memory and are not stored, shared, or used for model training.
Your Rights
Control over your data.
Under the New Zealand Privacy Act 2020, you have the right to:
Access
Request a copy of all personal data we hold about you.
Correction
Ask us to correct any inaccurate information.
Deletion
Request permanent deletion of your data.
Portability
Your data remains in Xero — we only hold a synced copy.
For any privacy enquiries, contact us at privacy@forgeinnovations.nz
Request
Submit a data request.
Whether you're an active client or have previously provided information to Forge, you can request access to, correction of, or deletion of the data we hold. We aim to process all requests within 30 days.