Forge
PLM Nexus
Forge
Forge Docs

Security

Practical trust boundaries: what Forge receives, what it does not access, how prompts and output are handled, and where customer responsibility starts.

Back to docs

Security

Practical security notes for Forge as a web-first product for Teamcenter ITK batch generation.

This page is about operational boundaries and trust-relevant behavior in the current service. It is not a legal policy page and it does not claim certifications or compliance programs that are not described elsewhere in this repo.

Service Boundary

Forge is a hosted web product.

Forge currently:

  • receives prompts and generation context submitted through the product
  • generates Teamcenter ITK batch source artifacts on the server side
  • stores generation records, files, and related metadata for authenticated workspace workflows
  • returns generated files for engineer review and download

Forge does not:

  • execute generated customer code in customer environments
  • log into or operate a customer Teamcenter instance as part of the current product flow
  • require direct access to a customer Teamcenter deployment to generate output

What Forge Receives

Depending on the workflow, Forge may receive:

  • account and authentication data
  • workspace and billing data
  • prompts and generation parameters
  • generated output files
  • API key records
  • usage, diagnostics, and delivery metadata

What Forge Does Not Need

Forge does not need live runtime access to a customer Teamcenter environment to perform the current generation workflow.

Customers remain responsible for:

  • build validation
  • deployment
  • execution
  • operational testing in the target environment

Prompts And Generated Output

Prompts and generated output are part of the product workflow.

Forge may store and review that content as needed to:

  • deliver the service
  • support generation history and downloads
  • investigate failures
  • provide support
  • detect abuse or security issues
  • improve service reliability

Customers retain rights in their prompts and generated output.

Forge does not describe customer prompts or outputs as a shared knowledge-base corpus for other customers.

Access Controls

Current access model at a high level:

  • web access uses magic-link authentication and server-side sessions
  • API access uses Bearer API keys
  • protected routes enforce authentication before returning workspace or generation data
  • generation endpoints apply validation and rate limiting before long-running work starts

This page is a practical summary, not a formal security specification.

Billing And Third-Party Services

Forge uses third-party services where needed for:

  • payment processing
  • email delivery
  • hosted infrastructure
  • model-provider generation workflows

Billing is handled through Stripe in the current product.

Customer Responsibility

Forge generates source artifacts, not production approval.

Customers should:

  • review generated output before use
  • validate builds in the target toolchain and environment
  • verify behavior against their Teamcenter configuration and release
  • decide whether generated output is suitable for production or customer delivery

Contact

For security questions or trust-review requests, contact support@plmnexus.com.