GameForge
Trust & Security

We're honest about security.
Including what we're still building.

Nothing is "100% unhackable" — anyone who tells you otherwise is lying. What we promise: defense-in-depth that makes compromise expensive, blast radius small, and recovery fast. Below is the full picture — what's live, what's in progress, what's on the roadmap. No marketing fluff.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
Multi-Tbps
DDoS mitigation (Scale+)
<72h
Breach notification SLA

The threat model

What attackers go after — and how we defend

Every defense decision starts with naming the threat. Here's the full attack surface for game hosts and what we do about each one.

Threat
Impact
Our defense
Source code leak
High · IP loss, dataminer leaks
Tenant isolation + encrypted storage + audit logs + no shared filesystems
Player data breach (PII)
Critical · GDPR fines, brand damage
AES-256 at rest, TLS 1.3 in transit, customer-managed keys (Enterprise)
Server compromise (cryptominers / ransomware)
High · downtime + clean-up
Read-only base images, runtime EDR, anomaly detection, network isolation
DDoS extortion
Medium · player-facing downtime
Multi-Tbps mitigation (Scale+) · 100 Gbps minimum (Indie/Studio)
Supply-chain attack (compromised dep)
Critical · invisible until exploited
Daily Security Sweeper agent · SBOM · signed builds · dependency pinning
Insider threat (employee with prod access)
Critical · trust violation
Zero-trust · just-in-time access · dual-control on prod · audit trail
Account takeover (dev / admin)
High · platform-wide blast radius
Mandatory MFA · hardware keys for prod · SSO + SCIM at Enterprise
Cross-tenant data leak
Critical · multi-customer breach
Container isolation (Indie) → dedicated single-tenant (Studio+) → fully isolated cluster (Enterprise)
IAP / payment fraud
Medium · revenue loss
Receipt validation · behavioral fingerprinting · payment-flow integrity audits
API abuse (scraping, fake accounts)
Low-Medium · reputation
Rate limits · bot detection · auth required on sensitive endpoints

Defense in depth

Five layers of defense

No single control is enough. Real security means breaking the kill chain at every step. Here's every control we run, with honest status flags.

Network

Multi-Tbps DDoS mitigation (Scale+)
✓ Live

BGP-routed scrubbing with redundant providers. Auto-mitigation under 30 seconds.

100 Gbps DDoS baseline (all tiers)
✓ Live

Even our Indie tier is protected against most volumetric attacks.

Web Application Firewall (WAF)
✓ Live

OWASP-rule baseline + game-specific rules (auth abuse, IAP fraud patterns).

Private VPC peering (Enterprise)
✓ Live

Customer traffic never traverses the public internet.

IP allowlisting for admin APIs
✓ Live

Mandatory for Growth+. Optional for Enterprise customers per policy.

Application

TLS 1.3 enforced + HSTS preloaded
✓ Live

No plaintext fallback. Certificate pinning available.

mTLS for service-to-service
✓ Live

Internal services authenticate via mutual TLS — no shared bearer tokens.

API rate limiting + DDoS layer 7
✓ Live

Per-key, per-endpoint, per-tenant. Burst tolerance configurable.

Daily dependency CVE scan (Security Sweeper)
✓ Live

Auto-PR with patched version + smoke tests. Critical CVEs deployed within 24h.

Signed builds + SBOM (Software Bill of Materials)
In progress

In-toto attestation, SLSA Level 3 target. Q3 2026.

Runtime Application Self-Protection (RASP)
On roadmap

Inline detection of SQL injection, RCE attempts, prototype pollution.

Data

AES-256 encryption at rest
✓ Live

Source code, player data, backups, logs — everything encrypted on disk.

TLS 1.3 in transit
✓ Live

No data crosses any wire unencrypted.

HSM-backed key management
✓ Live

Encryption keys live in FIPS 140-2 Level 3 hardware security modules.

Customer-managed keys (BYOK / CMEK)
✓ Live

Available at Scale+. Required at Enterprise. You hold the keys; we hold the ciphertext.

Cross-region encrypted backups
✓ Live

Hourly (Growth+) / 15-minute (Scale+) with cross-region replication.

Immutable backup option (Scale+)
✓ Live

Ransomware-proof — historical snapshots cannot be deleted within retention window.

Data Loss Prevention (DLP) on egress
In progress

Pattern-detection on customer support channels and shared workspaces. Q3 2026.

Identity & Access

Mandatory MFA for all dashboard accounts
✓ Live

TOTP + WebAuthn (hardware keys) supported.

Hardware security keys for prod access
✓ Live

No GameForge engineer reaches production without a YubiKey + dual approval.

Zero-trust internal network
✓ Live

No implicit trust. Every internal call authenticated and authorized.

Just-in-time (JIT) elevated access
✓ Live

Engineers request short-lived prod sessions per task. Auto-expires. Auto-audited.

SSO + SCIM provisioning (Enterprise)
✓ Live

SAML 2.0, OIDC. Auto-deprovision on HR systems update.

Privileged Access Management (PAM)
In progress

Tooling rollout. Manual today, automated via Teleport in Q3.

Operational

24/7 incident response
✓ Live

On-call rotation with engineering. Notification within 15 min of detection.

Annual third-party penetration test
On roadmap

Engaging NCC Group for first engagement Q4 2026. Annual cadence after.

Public bug bounty program
On roadmap

Launching on HackerOne in Q3 2026. Severity-based payouts ($100 → $25K).

Quarterly tabletop incident exercises
In progress

Currently bi-annual. Moving to quarterly cadence in Q3.

Outsourced 24/7 SOC (Security Operations Center)
On roadmap

Engaging Arctic Wolf or Expel for tier-1 monitoring. Q4 2026.

Endpoint Detection & Response (EDR)
✓ Live

CrowdStrike Falcon on every production host. Real-time threat blocking.

Security awareness training
✓ Live

Quarterly mandatory training for all employees. Annual phishing simulation.

Compliance & certifications

Where we are on every framework

We don't claim certifications we don't have. Here's the honest status of every framework you might need — and our timeline for the ones still in progress.

GDPR
Full Article 28 DPA available. EU data residency option at Enterprise.
✓ Live
CCPA + CPRA
California privacy framework. Self-serve data export and deletion.
✓ Live
COPPA
Configuration available for kid-directed games. Age-gating support.
✓ Live
KOSA-ready
Kids Online Safety Act readiness. Roadmap depends on final legislation.
In progress
ISO 27001 (us, the company)
Engaged auditor. Target certification by Q4 2026. Our hosting facilities are already ISO 27001 certified.
In progress
SOC 2 Type II
Audit window started. Type II report expected Q3 2026.
In progress
PCI-DSS Level 2 (Scale+)
Self-assessment complete. External validation Q4 2026. Stripe-passthrough always available.
In progress
PCI-DSS Level 1 (Enterprise)
Full external audit Q1 2027. For Enterprise customers handling payments directly.
On roadmap
HIPAA-compatible
BAAs available at Enterprise. Recommended for healthcare or therapeutic-game customers.
✓ Live
FedRAMP Moderate
Roadmap depends on US government / defense customer demand. ATO target 2027.
On roadmap
ITAR controls
Available for Enterprise customers building defense / dual-use applications.
On roadmap
SOX (Sarbanes-Oxley)
For publicly-traded customers needing financial reporting controls.
On roadmap

Responsible disclosure

Found a vulnerability?

We pay researchers for finding security issues — and we'll publicly credit you (with permission) for confirmed reports.

How to report

Email security@gameforge.ai with details, reproduction steps, and your PGP public key (if you have one). PGP key fingerprint published on this page Q3 2026.

We acknowledge within 24 hours. Triage within 72 hours. Fix critical issues within 7 days, high within 30 days.

Bug bounty

Public program launching on HackerOne in Q3 2026. Severity-tiered payouts:

  • · Critical (RCE, auth bypass, mass data leak): $5K – $25K
  • · High (privilege escalation, IDOR): $1K – $5K
  • · Medium (XSS, CSRF, info disclosure): $250 – $1K
  • · Low (config issues, hardening): $100 – $250
Safe harbor: Good-faith research is protected. We won't pursue legal action against researchers who follow our disclosure policy. Out-of-scope: social engineering, physical attacks, denial-of-service against production.

Our commitments

What you can hold us to

Notify within 72 hours

If we detect a security incident affecting your data, you hear from us within 72 hours — under the GDPR maximum, regardless of jurisdiction.

You always own your data

Self-serve export at any time, in any tier. Daily JSON dumps available. Migrate off GameForge whenever you want — no lock-in.

Source code is yours

Every game we build for you ships with full source. We claim no rights to your code, assets, or game data.

No security through obscurity

This page is the contract. We document defenses publicly so you can verify, dispute, and hold us accountable.

Honest incident postmortems

When something goes wrong, we publish a postmortem within 14 days of resolution. Root cause, timeline, what we're changing.

Zero-claim policy on AI training

Your code, telemetry, and player data never train external AI models. The Federated Bug Brain uses anonymized signatures only — and you can opt out.

Need a security review for procurement?

Enterprise customers get full SOC 2 reports, pen test summaries, DPAs, security questionnaires (SIG, CAIQ), and a security architect assigned to your account. Start with a quote and we'll loop in security from day one.

Request security review →Privacy policy