Home  /  Security Statement

Legal & policies

Security Statement

Last updated: 30 June 2026

Introduction

ForgeAI Studio, trading as NovaStacks ("we", "us", "our"), designs and builds custom SaaS platforms, AI-powered business software and bespoke web applications. We understand that the software we build often handles information that is important to the organisations and people who rely on it. Protecting that information is a core part of how we work, not an afterthought.

This statement sets out, at a general level, the practices and principles we apply to security across the design, development and operation of our software. It is intended to give our customers and users confidence in our approach. It does not form part of any contract and may be updated from time to time as our practices and the wider security landscape evolve.

Our approach to security

We treat security as an ongoing discipline rather than a fixed state. Our aim is to build software that is secure by design, to limit the ways in which things can go wrong, and to be able to respond quickly and responsibly when issues arise. The principles below describe how we put that aim into practice.

Secure development practices

Security is considered throughout our development process rather than added at the end. In practice this means:

  • We aim to follow established, industry-recognised secure development principles.
  • We consider security and data protection when designing new features and systems.
  • We use code review and testing as part of our development workflow to help identify defects and weaknesses before changes are released.
  • We seek to validate and handle input safely, and to avoid common categories of application vulnerability.
  • We make improvements to our practices over time as we learn and as standards evolve.

Encryption in transit

We use encryption to help protect data as it moves between users, our applications and the underlying services they depend on. Connections to our web applications and interfaces are served over encrypted channels using current, widely accepted transport encryption standards. Our goal is to ensure that information exchanged with our software is protected against interception and tampering while in transit.

Access control and least privilege

We apply the principle of least privilege, meaning that access to systems and data is granted only to the extent needed for a particular role or function. Our access-control measures are designed to:

  • Restrict access to production systems and sensitive data to authorised individuals.
  • Separate different environments and limit access between them where appropriate.
  • Apply authentication controls to administrative and privileged access.
  • Review and adjust access as roles and requirements change.

Where our software hosts data for multiple customers, it is designed to keep each customer's data logically separated and accessible only to authorised users of that customer's account.

Dependency and supply-chain management

Modern software relies on third-party libraries, frameworks and services. We take reasonable steps to manage the security of these dependencies, including:

  • Selecting reputable libraries and services where practical.
  • Keeping dependencies updated and applying security-relevant updates in a timely manner.
  • Monitoring for known vulnerabilities in the components we use and acting on them according to their severity.

Monitoring and logging

We use monitoring and logging to help us understand how our systems are behaving and to detect potential issues. This supports the early identification of errors, unusual activity and possible security events, and helps us investigate and respond when something requires attention. Logs are handled with appropriate care and retained for an appropriate period.

Incident response

Despite careful preparation, no software or organisation can guarantee that security incidents will never occur. We maintain a practical approach to incident response so that, if a security issue does arise, we can:

  • Investigate and assess the nature and scope of the issue.
  • Take appropriate steps to contain and remediate it.
  • Learn from the event and improve our systems and practices to reduce the likelihood of recurrence.
  • Notify affected parties where it is appropriate or required to do so.

Responsible disclosure

We welcome reports from security researchers and members of the public who believe they have found a vulnerability or security issue in our software or services. Responsible disclosure helps us protect our customers and users, and we are grateful to those who take the time to report issues to us.

If you believe you have discovered a security vulnerability, please contact us by email at support@novastacks.co.uk. Where possible, please include enough detail for us to reproduce and understand the issue, such as a description of the vulnerability, the affected product or page, and the steps required to observe it.

We ask that you:

  • Give us a reasonable opportunity to investigate and address the issue before disclosing it publicly.
  • Avoid accessing, modifying or deleting data that does not belong to you.
  • Avoid actions that could harm the availability, integrity or privacy of our services or their users.

We will review reports we receive, take appropriate action, and respond as the situation requires. Email is our only contact channel, and we aim to handle disclosures in good faith.

A shared responsibility

Security is most effective when it is shared. We encourage our customers and users to play their part by protecting their account credentials, choosing strong and unique passwords, controlling who has access to their accounts, and contacting us promptly if they suspect any unauthorised access or other security concern.

Changes to this statement

We may update this Security Statement from time to time to reflect changes in our practices, technology or legal and regulatory requirements. When we make changes, we will revise the "Last updated" date shown at the top of this page.

Contact us

If you have any questions about this Security Statement, or wish to report a security concern, please contact us by email at support@novastacks.co.uk.

ForgeAI Studio (trading as NovaStacks) is a company registered in England and Wales under company registration number 17175307. Our website is https://novastacks.co.uk.