Skip to content
Shadow Forge
How it worksFeatures GalleryPricingFAQ
Log in Start free

Security

Last updated 16 July 2026 · Back to Shadow Forge

Before launch: every claim below must be verified against the live system before publishing. Security claims are the easiest thing on a marketing site to get sued over. In particular: do not claim a certification, audit or penetration test you have not actually had.

Shadow Forge holds your tool library and your drawer designs. Here is how that is protected.

Contents

  1. Architecture
  2. Data isolation
  3. Encryption
  4. Authentication
  5. Payments
  6. Reporting a vulnerability

1. Architecture

The parts of Shadow Forge that generate geometry run entirely in your browser. Photographs are processed, tools traced, and DXF/STL/PDF written on your own machine. The server side exists to store your account and sync your library — not to do the work.

This is a deliberate design choice, and it is the strongest security property we have: data that is never transmitted cannot be intercepted, and data we never hold cannot be breached from us.

2. Data isolation

Our database enforces row-level security. Access rules are applied by the database itself on every query, so one account physically cannot read another account's rows — it does not depend on the application layer remembering to filter.

3. Encryption

All traffic is encrypted in transit with TLS. Data at rest is encrypted by our infrastructure provider.

4. Authentication

Passwords are hashed by our authentication provider — we never store or see them in plaintext, and we cannot recover one for you. Password reset runs through a signed, time-limited link sent to your email.

The publishable API key shipped in the client is public by design; it grants nothing on its own, because row-level security governs access. Privileged keys and payment secrets are held only in server-side function secrets and are never exposed to the browser.

5. Payments

Payments run through Stripe. Card details go from your browser to Stripe directly — they do not pass through, and are not stored on, our servers. We can see the last four digits and the card brand, which is all we need to show you what is on file.

6. Reporting a vulnerability

If you find a security issue, please tell us before you tell anyone else, and give us a reasonable window to fix it. Contact us with the details and steps to reproduce. We will not pursue legal action against researchers acting in good faith who do not access other users' data or degrade the Service.

Before launch: publish a dedicated security contact address, and decide whether you are offering a bug bounty. "Contact us" is a weak channel for a vulnerability report.

Shadow Forge

Browser-based CNC design for custom foam tool drawers. Trace tools, build drawers, cut shadow boards.

Product

  • Features
  • How it works
  • Gallery
  • Pricing

Resources

  • FAQ
  • Support
  • Security

Company

  • About
  • Contact

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Acceptable Use
  • Refunds
© 2026 Shadow Forge. All rights reserved. Made for people who hate a messy drawer.