Your health data deserves forged-in protection
SomaForge is built with defense-in-depth security. Server-side data processing, row-level data isolation, biometric locks, and zero ad SDKs. Your data stays yours.
How We Protect You
Eight layers of protection
Server-Side Processing
Your health data is processed by our secure backend. API keys never touch your device. All server calls route through Supabase Edge Functions.
185 Row-Level Security Policies
Every database query is filtered by your user ID at the database level. Even if our API is compromised, other users' data stays isolated.
Biometric App Lock
Lock SomaForge behind Face ID or Touch ID. Configurable timeout from immediate to 15 minutes. Skips lock during active workouts.
Zero Ad SDKs
No Facebook SDK. No Google Ads. No analytics trackers that profile you. We make money from subscriptions, not your data.
TLS Encryption
All data in transit is encrypted with TLS 1.2+. Data at rest is encrypted on Supabase's infrastructure with AES-256.
GDPR-Compliant Deletion
Delete your account and all data is permanently removed. A 30-day recovery window lets you change your mind. After that, every row across all 79 tables is purged for good.
Rate Limiting & Abuse Protection
Server-side rate limits protect against brute force attacks. Feature flags allow instant response to security events.
Secure Credential Storage
Authentication tokens stored in the platform keychain (iOS Keychain / Android Keystore). Never in plain text or local storage.
Comparison
SomaForge vs. typical health apps
| SomaForge | Typical App | |
|---|---|---|
| Data isolation | Row-level security on every query | Shared database, app-level filtering |
| Data processing | Server-side (keys never on device) | Client-side API keys in app bundle |
| Ad SDKs | None. Zero tracking SDKs. | 3-7 ad/analytics SDKs |
| Account deletion | 30-day recovery window, then permanent purge across all 79 tables | 30-90 day hold, partial deletion |
| Encryption | TLS 1.2+ in transit, AES-256 at rest | TLS in transit, varies at rest |
| Data export | Full export (CSV, JSON, PDF) | Limited or no export |
Compliance & Certifications
GDPR Compliant
No Ad SDKs
App Store Approved
SOC 2 Type II
Planned
SomaForge is not HIPAA-compliant and should not be used as a medical records system. Security measures described on this page are accurate as of the current release. If you discover a security vulnerability, please email security@somaforge.app.