Privacy Policy

Last updated: April 22, 2026

1. Overview

DevForge ("we", "us", "our") operates audit.devforgeapp.com. This policy explains what data we collect, how we use it, and how we protect it. By using our service, you agree to this policy.

2. What We Collect

Information you provide:

• Email address — used to send your audit report
• AWS IAM Role ARN — used solely to assume read-only access to your account during the audit
• ExternalId — used as a security token to authorize the role assumption

Information generated during the audit:

• Audit findings — security check results from your AWS account
• PDF report — generated and stored temporarily in AWS S3

We do NOT collect or store:

• AWS credentials or access keys
• Actual data from your AWS resources (no S3 object contents, no database data)
• Payment information

3. How We Use Your Data

• Your Role ARN and ExternalId are used only during the audit session (15 minutes max) and are never persisted
• Your email is used only to send the audit report and is not added to any mailing list
• Audit reports are stored in S3 with a presigned URL that expires in 24 hours
• After 24 hours, the presigned URL expires and the report becomes inaccessible

4. AWS Access — How It Works

We use AWS sts:AssumeRole to temporarily access your account. The IAM role is:

• Deployed by you via CloudFormation — we never have access to your AWS credentials
• Read-only only — attaches AWS managed policies SecurityAudit and ReadOnlyAccess
• Protected by ExternalId — only our specific account can assume it
• Revocable at any time — delete the CloudFormation stack to remove access permanently

Temporary credentials issued during the audit session expire after 15 minutes and are never stored.

5. Data Retention

• Audit reports: accessible via presigned URL for 24 hours, then effectively deleted
• Email addresses: not retained after report delivery
• Role ARN / ExternalId: never stored — used only during the active audit session

6. Third-Party Services

• AWS — infrastructure (Lambda, S3, CloudFront, API Gateway)
• Google Analytics — anonymous usage analytics (page views, audit completions). No personal data is shared.

7. Security

All data is transmitted over HTTPS. Reports are stored in private S3 buckets accessible only via time-limited presigned URLs. We do not share your data with any third parties beyond those listed above.

8. Your Rights

You may request deletion of any data associated with your email by contacting us at hello@devforgeapp.com. Since we do not retain most data beyond 24 hours, there is typically nothing to delete.

9. Changes

We may update this policy. Changes will be posted on this page with an updated date.

10. Contact

Questions? Email us at hello@devforgeapp.com