Legal

Privacy & Data Security

Last updated: May 5, 2026 · Questions? info@rollforgeops.ai

Your data is yours. Period.

PE operating partners trust RollForge with proprietary portco financials, operational data, and benchmarking data that don't leave the firm. We take that seriously. This policy explains exactly what we do with your data — and what we will never do with it.

You own your data No selling, ever AES-256 encryption at rest TLS 1.2+ in transit Logical data isolation 72-hour breach notification

Contents

Data We Collect
Data Ownership
Data Isolation
Encryption & Security
No Selling or Sharing
How We Use Your Data
Access Controls
Data Retention & Deletion
Subprocessors
Compliance Roadmap
Breach Notification
Contact

01 Data We Collect

We collect the minimum data necessary to provide the Platform. This includes:

Account data: Name, email address, organization name, and password (stored as a salted hash — we never store plaintext passwords). Role assignments within your organization.

Customer Data: Portfolio company data, financial data, operational metrics, vendor spend data, KPI goals, and any other content you upload or enter into the Platform. You control this data entirely.

Usage data: Log data, feature usage patterns, IP addresses, and browser/device information — used to operate, maintain, and improve the Platform.

Communications: Email address and any content you send to us via support or inquiry forms.

We do not collect payment card data directly. Payments are processed by Stripe, our payment processor. See our Subprocessors section for details.

02 Data Ownership

All Customer Data you upload to RollForge remains your property. We do not claim any ownership over your portfolio company data, financial information, operational data, or any other content you provide.

You retain full intellectual property rights in your Customer Data at all times. RollForge holds only a limited operational license to store and process that data for the purpose of providing the Platform to you — and for no other purpose.

You can export your data at any time from your account. On account termination, you retain the right to export all Customer Data before deletion. See Data Retention & Deletion for timelines.

03 Data Isolation

RollForge enforces strict logical data isolation between customer accounts:

Account-level isolation: Each organization's data is scoped to that organization. A user in Organization A cannot access data belonging to Organization B under any circumstances.
Portfolio company isolation: Portfolio company (portco) data is visible only within the organization that owns it. Portco A data is never visible to Portco B unless both belong to the same account.
No cross-customer aggregation: We do not aggregate, analyze, or use your Customer Data across customer accounts. Your portco financials do not inform anonymous benchmarks shown to other customers without your explicit consent.
Role-based access within your org: Investor-role users can be restricted to specific portcos within your organization. Full-account visibility is limited to Admin and Member roles by your own configuration.

04 Encryption & Security

Data in Transit

TLS 1.2+ enforced on all connections. No plaintext HTTP on any data endpoint.

Data at Rest

AES-256 encryption via Neon PostgreSQL. Encryption keys managed by our infrastructure provider.

Passwords

PBKDF2-SHA256 with per-user salts. Plaintext passwords are never stored.

Session Tokens

Cryptographically random 256-bit tokens, stored as HttpOnly cookies. 30-day expiry.

Infrastructure

Hosted on Render (SOC 2 Type II certified). Database hosted on Neon (SOC 2 Type II certified).

Access Controls

All database queries use parameterized statements. Production database access is restricted to application credentials only.

05 No Selling or Sharing

RollForge will never sell, rent, license, or otherwise monetize your Customer Data with any third party — ever.

We do not share your Customer Data with third parties except in the following limited circumstances:

Service providers: We share data with subprocessors (listed in Section 9) solely to operate the Platform — e.g., our database provider storing your data.
Legal compliance: We may disclose information if required by law, court order, or government regulation, and only to the extent required.
Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, Customer Data may be transferred to the acquiring entity, subject to equivalent data protection commitments.
With your consent: We may share data for any other purpose with your explicit prior consent.

In all cases, we contractually require our subprocessors to maintain confidentiality and data protection standards at least as protective as those described in this Policy.

06 How We Use Your Data

We use the data we collect for the following purposes:

Platform operation: Providing, maintaining, and improving the RollForge Platform and its features
AI features: Customer Data you submit for AI-powered features (audit scoring, report generation, vendor matching) is processed to generate results and returned to you — it is not retained by our AI providers for training
Authentication and security: Verifying your identity, detecting fraud, and protecting the Platform
Communications: Sending transactional emails (invoice receipts, team invite notifications, security alerts) and, where you've opted in, product updates
Analytics and product improvement: Understanding feature usage patterns to improve the Platform (using aggregated, anonymized usage data only)
Legal compliance: Meeting our obligations under applicable law

07 Access Controls

RollForge enforces role-based access control (RBAC) within each organization:

Admin: Full access to all portfolio company data, team management, billing, and settings
Member: Full access to portfolio company data; no team management or billing access
Investor (read-only): Scoped to specific portcos assigned by an Admin; no cross-portfolio visibility; no write access

Audit logging. RollForge logs data access and modification events at the application level. Access logs are retained for compliance and security incident investigation purposes. We are committed to expanding audit log coverage and making audit trails available to Enterprise customers as part of our security roadmap.

RollForge staff access. Access to production customer data by RollForge personnel is restricted to a minimal set of individuals and is limited to what is necessary for support and operations. We do not routinely access your Customer Data.

08 Data Retention & Deletion

During your subscription: We retain Customer Data for as long as your account is active. You can delete individual records, portcos, or reports at any time from within the Platform.

On account termination:

You may export all Customer Data before your account is closed
Following account termination, Customer Data is retained for a 30-day grace period to allow for recovery in cases of accidental cancellation
After 30 days, Customer Data is permanently and irreversibly deleted from our production systems and backups on their normal rotation schedule

Data deletion requests. You may request deletion of specific Customer Data at any time by contacting us at info@rollforgeops.ai. We will process deletion requests within 30 days.

Legal holds. In limited cases, we may be required to retain certain data longer to comply with applicable legal obligations.

09 Subprocessors

We use the following key subprocessors to operate the Platform. All subprocessors are contractually bound to maintain data confidentiality and security standards consistent with this Policy.

Subprocessor	Purpose	Data Shared
Render	Application hosting and infrastructure. SOC 2 Type II certified.	All application data processed in transit
Neon	PostgreSQL database hosting. SOC 2 Type II certified. AES-256 encryption at rest.	All Customer Data stored at rest
Postmark	Transactional email delivery (invites, notifications, reports).	Email address, email content
Stripe	Payment processing. PCI DSS Level 1 certified. RollForge never stores card data.	Billing email, subscription status
OpenAI (via Polsia proxy)	AI-powered features: operations audit scoring, report generation, vendor matching. Data submitted is not retained for model training.	Customer Data submitted for AI analysis
ServiceTitan	Field service management integration. Only accessed when a customer explicitly connects their ServiceTitan account. Read-only access — RollForge does not write data to ServiceTitan. Credentials stored encrypted (AES-256-GCM) and never logged.	ServiceTitan jobs, revenue, and technician data for connected portcos only. Accessed only when the customer enables the integration.

We will update this list when we add or change subprocessors. Material changes will be communicated via email with 30 days' advance notice.

10 Compliance Roadmap

RollForge is committed to achieving and maintaining enterprise-grade security standards. Our current compliance posture and roadmap:

Infrastructure certifications (current): Our hosting (Render) and database (Neon) providers are SOC 2 Type II certified, providing a certified security foundation for the Platform
SOC 2 Type II (in progress): RollForge is actively pursuing SOC 2 Type II certification for our application-level controls. This is a near-term commitment and a priority for enterprise customers
Parameterized queries: All database interactions use parameterized statements, protecting against SQL injection
Security reviews: We conduct periodic internal security reviews of application code and infrastructure configuration

For Enterprise accounts with specific compliance requirements (GDPR data processing agreements, custom security reviews, vendor questionnaires), contact us at info@rollforgeops.ai.

11 Breach Notification

In the event of a confirmed security breach affecting your Customer Data, RollForge commits to:

Notifying affected customers within 72 hours of confirming the breach
Providing a clear description of: (a) what data was affected, (b) how the breach occurred (to the extent known), and (c) steps we are taking to contain and remediate it
Providing guidance on steps you can take to protect yourself
Cooperating fully with any legally required regulatory notifications

We maintain incident response procedures and will provide ongoing updates as the situation develops following any confirmed incident.

12 Contact & Changes

Questions about this Policy, data deletion requests, or security concerns — contact us at info@rollforgeops.ai. We respond to all data-related inquiries within 2 business days.

Changes to this Policy. We may update this Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

Also see our Terms of Service for the full contractual framework governing your use of RollForge.