Legal
Privacy Policy
Last updated: 17 February 2026
Data Controller
Forged is the data controller for personal data processed through CMP by Forged. Forged is currently under formal registration, with organization number listed as [Org.nr. pending registration] and address listed as [Registered address pending]. Privacy inquiries can be sent to support@forged.no; at this stage, a separate Data Protection Officer is not required based on company size and processing scope.
What Personal Data We Process
To provide CMP by Forged, we process account data such as name, email address, and organization name received through Microsoft Entra ID, plus authentication data such as session identifiers and login timestamps. We also process Azure resource metadata including subscription names, resource group names, and tenant identifiers, together with usage data such as pages visited, features used, and timestamps. We do not process payment card information, health information, or special category personal data.
Legal Basis for Processing
Our legal basis under GDPR Article 6 depends on the processing activity. We process data under Article 6(1)(b) when necessary to deliver the CMP service under contract, and under Article 6(1)(f) for legitimate interests such as security monitoring, service improvement, and fraud prevention. We also process certain records under Article 6(1)(c) where needed to comply with legal obligations, including Norwegian bookkeeping requirements.
Purpose of Processing
CMP by Forged processes personal data to deliver cloud cost analysis and optimization recommendations for customer Azure environments. We also process data for user authentication and session management, customer support, and continuous service improvement through reliability monitoring. In addition, we process data to protect the service and customers through security controls and fraud prevention.
Recipients and Sub-processors
We use selected sub-processors to operate CMP: Microsoft Azure for infrastructure and database hosting, Cloudflare for frontend hosting, CDN, and DDoS protection, and Microsoft Entra ID for authentication. These providers process data only for defined service purposes and under contractual controls. Sub-processors operate within the EEA or under appropriate safeguards where required.
International Data Transfers
Primary processing for CMP takes place within the EEA, including Azure West Europe. Because Cloudflare operates a global edge network, request-level data may be processed outside the EEA when traffic is routed through edge nodes. Where transfers occur to non-adequacy jurisdictions, we apply GDPR Article 46 safeguards, including EU Standard Contractual Clauses.
Data Retention
Account data is retained while an account is active and for up to 12 months after termination to support auditability and reactivation handling. Azure cost and resource data is refreshed in near real time and cached for up to 24 hours, audit logs are retained for 12 months, and session data follows a 24-hour session cookie lifetime. When retention periods expire, data is deleted or irreversibly anonymized unless continued storage is legally required.
Your Rights
You have the rights set out in GDPR Chapter III, including access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). To exercise these rights, contact us at support@forged.no, and we will respond within applicable legal timelines. You also have the right to lodge a complaint with Datatilsynet, the Norwegian Data Protection Authority, at datatilsynet.no.
Cookies and Session Management
We use strictly necessary session cookies to provide secure authentication in CMP using OIDC. The authentication cookie is named .FinOps.Session and is configured with HttpOnly, Secure, and SameSite=Lax attributes to reduce unauthorized access risks. We do not use tracking, analytics, or marketing cookies, and consent is therefore not required for this cookie under ekomloven section 3-15.
Security Measures
We protect personal data using encryption in transit (TLS 1.2 or higher) and encryption at rest in managed cloud services. Access is controlled through Azure Managed Identity, role-based access control, and tenant isolation mechanisms designed for multi-tenant security. Access to customer Azure environments is read-only through Azure Lighthouse delegation to support least-privilege processing.
Changes to This Policy
We may update this Privacy Policy when legal, technical, or operational requirements change. If we make material changes, registered users will be notified by email before or when changes take effect. The "Last updated" date at the top of this page always shows the latest published version.
Contact
For all privacy questions, data subject requests, or concerns about processing in CMP by Forged, contact support@forged.no. You may also contact Datatilsynet as the supervisory authority in Norway via datatilsynet.no. We will cooperate with supervisory authorities and provide relevant documentation when required by law.