Your data,
protected at every layer.

Everything you send us travels over TLS 1.3 with modern cipher suites. Older protocols are rejected at the door.

Everything we store is encrypted at rest with AES-256. Your sessions, your wellness, your conversations — all of it.

Database backups use the same standard. Encryption keys live separately from the data they protect.

The BioForge backend runs on Railway with PostgreSQL. The frontend lives on Vercel's edge network.

Access to infrastructure is restricted to a handful of people. Every action is logged and auditable.

Deployments are automated — no one manually SSHes into servers. Configuration lives in code, versioned and reviewed.

BioForge uses Claude by Anthropic to power your coach. Claude operates under zero retention: your data is processed in real time and never stored.

Your data is never used to train someone else's AI. Anthropic's API terms explicitly prohibit using customer data to improve models.

Claude only sees your data when you actively ask the coach a question. There is no continuous background processing.

Sessions use secure HTTP-only cookies with strict same-site policies.

No password is ever stored in clear text. Auth tokens are cryptographically signed and expire on their own.

Every API endpoint requires authentication. Rate limiting is enforced everywhere.

If you find a vulnerability, please email security@bioforge.science. We take every report seriously.

We acknowledge within 48 hours and give an initial assessment within 7 business days.

We do not take legal action against researchers who report in good faith.

BioForge fully complies with EU GDPR, including Article 9 for special category data (health, biometric).

We process your data on the basis of your explicit consent. You can withdraw it and request deletion at any time.

You have full rights to access, rectify, erase, port, and restrict processing. Requests are handled within 30 days.