Skip to main content
Forerunner is built with security and privacy at its core. This page explains how your data is protected, what privacy controls are available, and how to work with sensitive information.

Security overview

Forerunner employs multiple layers of security to protect your data:
LayerProtection
InfrastructureHosted on secure cloud infrastructure with enterprise-grade protections
Data encryptionAll data encrypted in transit and at rest
AuthenticationSecure sign-in with optional SSO and MFA
Access controlRole-based permissions limit who can see and do what
Audit trailsActivity logging tracks changes and access

Data encryption

Encryption in transit

All data transmitted between your browser and Forerunner is encrypted:
  • HTTPS/TLS encryption for all connections
  • Secure websocket connections
  • API communications encrypted

Encryption at rest

Data stored in Forerunner’s systems is encrypted:
  • Database encryption
  • File storage encryption
  • Backup encryption
  • Encryption keys managed securely
Sensitive data like passwords and MFA secrets use additional encryption layers managed through secure key management services.

Access control

Forerunner uses multiple mechanisms to control who can access what data:

Role-based permissions

Your user role determines base-level access:
  • Manager - Full access including team management
  • Member - Full access to data without team management
  • Creator - Can create and edit records
  • View Only - Read-only access

User groups

Groups provide additional permission controls:
  • Access to specific record types
  • Visibility of certain data
  • Workflow participation
  • Feature availability

Record-level visibility

Individual records can be marked as:
  • Private - Visible only to authorized internal users
  • Public - Visible on the public website

Field-level permissions

For sensitive information, access can be restricted at the field level:
  • Certain fields visible only to specific groups
  • PII (personally identifiable information) access controlled
  • Sensitive data hidden from unauthorized users

Personal identifiable information (PII)

Forerunner provides controls for managing personal identifiable information:

What constitutes PII

Information that can identify individuals:
  • Names and contact information
  • Property ownership details
  • Financial information
  • Insurance data
  • Repetitive loss records

PII access controls

Access to PII is controlled through:
  • User permissions - Specific permission required to view PII
  • Role restrictions - Not all roles can access PII
  • Public user restrictions - Public users never see PII
  • Audit logging - PII access is tracked
Your Customer Success Manager configures PII access based on your organization’s needs and compliance requirements.

Best practices for PII

  • Only access PII when necessary for your work
  • Don’t export PII unless required
  • Never share PII through insecure channels
  • Report any suspected PII exposure

Public vs. private data

What’s typically public

Information that may appear on your public website:
  • Flood zone designations
  • Base Flood Elevation data
  • FIRM panel references
  • Approved permit records (if configured)
  • Elevation Certificates (if configured)
  • General property location

What’s always private

Information that never appears publicly:
  • Owner names and contact information
  • Internal staff notes and comments
  • Draft or pending records
  • User account information
  • Audit logs and activity history
  • Staff assignments and workflows

Controlling visibility

Record visibility is controlled through:
  1. Record type defaults - Each record type has a default visibility
  2. Individual record settings - Records can be toggled public or private
  3. Hidden from public flag - Specific records can be explicitly hidden
Review public visibility settings carefully. Once information is made public, anyone with the URL can access it. Work with your CSM to configure appropriate defaults.

Audit trails

Forerunner maintains comprehensive audit logs:

What’s logged

  • User sign-in and sign-out events
  • Record creation, updates, and deletions
  • File uploads and downloads
  • Permission changes
  • Configuration changes
  • API access

Who can view audit logs

  • Managers can view activity for their account
  • Forerunner administrators have expanded access for support

Retention

Audit logs are retained according to your account configuration and Forerunner’s data retention policies.

Session security

Session management

Your sessions are protected through:
  • Secure session tokens - Sessions authenticated with secure, randomly generated tokens
  • Session timeout - Automatic sign-out after inactivity
  • Concurrent session limits - May be limited based on configuration
  • Session inchecks - Sessions revoked on password change or deactivation

Session timeout

Inactive sessions are automatically terminated:
  • Timeout duration configured by your CSM
  • Activity resets the timeout counter
  • Closed browsers maintain session until timeout
  • Sign out manually on shared computers

Account security

Password protection

Passwords are protected through:
  • One-way encryption (passwords cannot be retrieved, only reset)
  • Configurable complexity requirements
  • Optional expiration and history policies
  • Brute-force protection through lockout

Multi-factor authentication

Additional security through MFA:
  • SMS verification codes
  • Required or optional based on configuration
  • Protects against password theft
Learn more about multi-factor authentication.

Account lockout

Protection against unauthorized access:
  • Accounts locked after failed sign-in attempts
  • Lockout duration before retry allowed
  • Notification of lockout events

Compliance and certifications

Forerunner maintains security certifications and compliance with industry standards. For detailed compliance information:
  • Visit the Forerunner Trust Center
  • Contact your Customer Success Manager for specific compliance questions
  • Request security documentation as needed

Data handling

Data location

Forerunner data is stored in secure data centers with:
  • Geographic redundancy
  • Physical security controls
  • Environmental protections
  • 24/7 monitoring

Backups

Your data is protected through:
  • Regular automated backups
  • Point-in-time recovery capability
  • Geographically distributed backup storage
  • Tested restoration procedures

Data retention

Data retention follows:
  • Your organization’s requirements
  • Forerunner’s data retention policies
  • Legal and regulatory requirements
  • Explicit deletion requests

Reporting security concerns

If you suspect a security issue

  1. Don’t ignore it - Report any suspicious activity
  2. Document what you observed - Note times, actions, and any error messages
  3. Contact your Manager - They can escalate to appropriate parties
  4. Contact Forerunner support - For urgent security matters

What to report

  • Unexpected sign-in prompts or MFA requests
  • Access to data you shouldn’t see
  • Suspicious activity in audit logs
  • System behavior that seems wrong
  • Potential phishing attempts
Never share your password or MFA codes with anyone claiming to be from Forerunner support. Legitimate support will never ask for this information.

Security settings managed by CSM

These security settings are configured by your Customer Success Manager:
SettingDescription
Password policyMinimum length, complexity, expiration
Session timeoutDuration before automatic sign-out
MFA requirementsWhether MFA is enabled or required
Failed login limitAttempts before account lockout
SSO configurationIntegration with identity providers
PII accessWho can view personal information
Contact your CSM to discuss changes to these settings.

Security best practices

For all users

  • Use strong, unique passwords
  • Enable MFA if available
  • Sign out on shared computers
  • Report suspicious activity
  • Don’t share credentials
  • Keep your contact information current

For Managers

  • Review user access regularly
  • Deactivate users promptly when they leave
  • Assign minimum necessary permissions
  • Monitor for unusual activity
  • Coordinate with CSM on security policies

For organizations

  • Implement SSO if available
  • Enable MFA for all users
  • Configure appropriate session timeouts
  • Review public visibility settings
  • Establish data handling procedures
  • Train staff on security awareness

Troubleshooting

If you can access data beyond your expected permissions:
  1. Stop accessing the data
  2. Document what you observed
  3. Report to your Manager immediately
  4. Manager will contact CSM to investigate
If you can’t access data required for your work:
  1. Verify your role has appropriate permissions
  2. Check if you’re in the correct user groups
  3. Contact your Manager to request access
  4. Manager works with CSM to adjust permissions
If you receive a notification about a sign-in you didn’t make:
  1. Change your password immediately
  2. Report to your Manager
  3. Review any recent account activity
  4. Consider enabling MFA if not already active
If private data is visible on the public website:
  1. Report to your Manager immediately
  2. Manager contacts CSM for urgent review
  3. Visibility settings will be corrected
  4. Review all similar records for proper configuration