Security as a Company Value

ForgeRock’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Three Guiding Principles for Security

ForgeRock has founded its security approach on the three core principles of information security:

  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
  • Integrity: The property of safeguarding the accuracy and completeness of information and such asset
  • Availability: The property of information is accessible and usable upon demand by only authorized entities

Together, these three principles deliver one thing to our customers — a product and service that allows people to simply and securely access the digital world and a company they can trust to help them do that.

Secure Personnel

ForgeRock takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to ForgeRock resources.

  • All ForgeRock contractors and employees undergo background checks prior to being engaged or employed by ForgeRock in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure Development

  • All development projects at ForgeRock, including on-premises software products, support services, and ForgeRock's own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure Testing

ForgeRock deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud Security

ForgeRock Identity Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

ForgeRock Identity Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using ForgeRock’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained ForgeRock experts.
  • ForgeRock has implemented a mature information security management system (ISMS), owned by our CISO, which details the security policies that all ForgeRock employees must follow. All of these policies and practices are also regularly reviewed and assessed by internal as well as external auditors.
  • We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • ForgeRock's data protection complies with ISO 27001 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.


ForgeRock is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of ForgeRock’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices ForgeRock has in place.

SOC 2 Type II

SOC 2 Type II

ForgeRock successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that ForgeRock's information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality. Our adherence with these standards will be externally validated annually.

Customers and prospects can request access to the audit report here.

ISO 27001, 27017 and 27018

ISO 27001, 27017 and 27018

ISO 27001 is an industry standard for information security. ForgeRock's information security management system (ISMS) has been independently assessed and certified to the ISO 27001 standard. ForgeRock has included ISO 27017 and ISO 27018 into its certified ISMS and additionally has achieved independent certifications validating the controls and implementation guidance relevant to those standards are in place and operational.

The scope of ForgeRock's ISMS covers all major offices used in the development of ForgeRock products, all of our product offerings including our standalone on-premise products, Identity Cloud service, and Autonomous products, as well as all supporting infrastructure, systems, and internal processes.

CSA STAR (Level 2)

CSA STAR (Level 2)

Cloud Security Alliance (CSA) is the first step of the many cloud-specific certifications. ForgeRock continues to demonstrate our commitment to industry-accepted security controls and transparency for our cloud services. ForgeRock Identity Cloud has recently completed an external audit to validate that we meet the criteria required for the Cloud Security Alliance (CSA) STAR (Level 2) attestation. Both the CSA STAR Level 2 attestation and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4 can be seen on the CSA STAR Level 2 registry page.



Health Insurance Portability and Accountability Act (HIPAA) is the U.S. national standard for health information security and privacy that governs the use and disclosure of sensitive protected health information (PHI). ForgeRock Identity Cloud complies with HIPAA security standards and Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements.

Trusted Information Security Assessment Exchange (TISAX)

Trusted Information Security Assessment Exchange (TISAX)

The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises, governed by ENX on behalf of the German VDA. The exchange allows recognition of assessment results among the participants. TISAX may be accessed by active participants via TISAX and TISAX results are not intended for general public. ForgeRock Inc. & ForgeRock Ltd. are active TISAX participants with assessment results available through the ENX portal at: under scope ID: SZZMC3 and assessment ID: AZ5YYL-1.


ForgeRock Security & Compliance Whitepaper


ForgeRock Identity Cloud Security


ForgeRock Statement on Modern Slavery

Data Sheet

HIPAA Compliance