At Forge, protecting your data is a fundamental commitment. Our approach is simple, transparent, and designed for European clients.
Your data belongs to you. We host it in France, we protect it, and we do not exploit it.
A platform designed for European clients
Forge is developed by a European company and complies with GDPR requirements as well as the security standards expected by European businesses. Our philosophy is clear:
- your data remains under your control;
- it is never resold;
- it is never used to train AI models.
Forge acts only on its clients' instructions, within a strict and auditable contractual framework.
Where is your data stored?
Primary hosting, France (EU)
Forge data is hosted in France by our main subcontractor Scaleway. This includes:
- personal data (users, identifiers, metadata);
- imported content (documents, videos, files, knowledge bases);
- indexes and representations required for search functionalities.
Data remains within Forge's infrastructure and is not transferred outside the European Union by default. Source: scaleway.com/fr/privacy.
Security and governance
The ISO 27001 certification is held by SQUARANCE (Rise Up) and covers the shared security processes used for Forge. This certification governs:
- access and authorization management;
- environment separation;
- action traceability;
- incident and risk management.
Security is integrated from the design stage and continuously monitored.
Observability and logs
Datadog
Forge uses Datadog for technical monitoring and incident detection. The processed data is limited to:
- technical metrics;
- application logs necessary for operations.
Logs contain no client content and no exploitable personal data. Retention is limited to what is strictly necessary for operational purposes. Source: datadoghq.com data processing agreement.
Use of artificial intelligence in Forge
Forge uses AI technologies to analyse your content and deliver its features. We rely on specialised subcontractors only when necessary.
Common principles for all AI providers
Regardless of the provider:
- only content data is transmitted, never full documents;
- Forge implements minimisation and pseudonymisation mechanisms to limit the presence of personal data in sent requests;
- data is not used to train models;
- data is not resold;
- retention is limited to technical needs of the service.
Data actually transmitted to AI providers
When Forge uses an AI provider, complete client content is never transmitted. AI providers receive no full documents, knowledge bases, or source files.
The transmitted data takes the form of a technical prompt, used to:
- answer a user's question;
- or generate a learning activity (e.g. flashcards, quiz, summary, podcast, guided activity).
This prompt may include:
- Forge coach instructions (role, tone, response rules);
- training programme context (learning objectives, structure, guidelines);
- text excerpts from the document search engine (RAG): up to 5 excerpts, each limited to 512 tokens;
- a recent conversation history: typically 5 to 10 messages, anonymised (no personal data, no user identifiers).
These data:
- are transmitted only to produce the requested response or activity;
- are not stored by Forge on provider systems;
- are retained by providers only temporarily, per their policies (security, abuse prevention, debugging).
Response reliability and hallucination mitigation
Forge implements several mechanisms to reduce the risk of AI errors or hallucinations, including:
- an internal control layer ("Judge") that checks response consistency with context and provided content;
- abuse and safety filters from AI providers;
- source citation when relevant, allowing users to identify the origin of information;
- a user feedback mechanism to report incorrect or inappropriate responses.
AI is used as an assistive tool, not as an autonomous source of truth. Responses are always contextualised using client-provided content.
AI subprocessors, provider details
The table below summarises each AI subprocessor used by Forge. Detailed processing notes follow.
| Provider | Use case | Model training | Retention |
|---|---|---|---|
| OpenAI | Coach chat, audio analysis, multimodal generation | No | Time-limited (API security) |
| Google Gemini | Coach chat, video analysis, multimodal generation | No | No human access |
| Scorm Genie (FR) | SCORM module analysis | No | Deleted after analysis |
| Argil | Video generation | No | Contractual |
| ElevenLabs | Audio generation | No (disabled for API) | Per provider policy |
| Gradium | Audio generation | No | Per provider policy |
| Cohere | Document search, reranking, embeddings (RAG) | No | Per provider policy |
| Firebase | Push notifications | No | Technical only |
OpenAI
Use cases: Chat with the coach, audio analysis and transcription, multimodal generation (image, audio).
Data processing: Data is processed solely to generate the requested response. It is not used for model training. OpenAI may temporarily retain certain data transmitted via the API for security, abuse prevention, and debugging purposes. This retention is time-limited and governed by OpenAI's security policies.
Sources: platform.openai.com data usage policies, openai.com API data usage policies .
Google Gemini (Google Cloud)
Use cases: Chat with the coach, video analysis, multimodal generation (image, video, audio).
Data processing: Data is processed only to provide the requested service. It is not used for model training and is not subject to human access. Forge uses Gemini via Google Cloud APIs, under an enterprise contract.
Sources: cloud.google.com Gemini data governance, cloud.google.com service terms .
Scorm Genie (France)
Use cases: SCORM module analysis.
Data processing: SCORM modules are temporarily stored in France, on AWS (EU region) infrastructure, only for the duration of analysis. The analysis parses all module files to extract content and pedagogical structure. Modules are deleted immediately after analysis. No long-term storage or model training occurs.
Sources: scormgenie.com .
Argil
Use cases: Video generation.
Data processing: Data is used only to produce the requested content, under a contractual framework. No reuse or secondary exploitation occurs.
Sources: Argil contractual documentation .
ElevenLabs
Use cases: Audio generation.
Data processing: Data is used only to generate audio. Training use is disabled for API usage.
Sources: elevenlabs.io/privacy .
Gradium
Use cases: Audio generation.
Data processing: Data is processed only to provide the requested service. No reuse or commercial exploitation occurs.
Sources: gradium.ai/privacy .
Cohere
Use cases: Document search, reranking, embeddings (RAG).
Data processing: Data is not used for model training and is processed only to provide the service.
Sources: cohere.com/privacy .
Firebase
Use cases: Push notifications.
Data processing: Data is limited to technical information required for notification delivery. No business data is exploited.
Sources: firebase.google.com support privacy .
GDPR and Forge's role
Forge acts as a data processor under the GDPR. We commit to:
- processing data only on behalf of our clients;
- ensuring confidentiality and security;
- assisting clients in meeting their regulatory obligations.
We apply strict security and confidentiality measures to guarantee you complete peace of mind.
For any questions: dpo@forgelearning.com.
Last updated: February 2026.
Data Protection Officer: Guillaume Blachon, dpo@forgelearning.com.