Outreach data privacy notice.

• • Public business-contact data — firm name, accreditation status, business email, business phone, public listings from FedRAMP Marketplace and Cyber-AB.
• • Open and reply tracking on the outreach email itself (first-party only — no third-party tracking pixels).
• • Click attribution on links we send you (tokenized, first-party domain).
• • Anything you reply to us in the email thread.
• • Identity-of-record when you choose to view a Tier 1 share (optional email opt-in; date and viewer-supplied email if provided).

• • No data from data brokers.
• • No third-party advertising trackers, no Facebook pixel, no LinkedIn Insight tag.
• • No web-bug or remote image tracking outside our own first-party domain.
• • No personal financial information, no SSNs, no Controlled Unclassified Information.

FORCE is BD/marketing/channel infrastructure for the federal compliance market. Our outreach is targeted at firms whose public business posture indicates a credible interest in FedRAMP, CMMC, SOC 2, or ISO assessment work — either as assessor or as customer. We do not buy lists, scrape non-public sources, or send bulk untargeted email.

Every outreach email contains a one-click unsubscribe link that immediately marks your address as opted out. The mark is durable across campaigns. You can also email privacy@bigforgeone.com and we will action the request within one business day. Opting out of one address opts out the firm-of-record from future outreach unless a new individual at the firm affirmatively re-engages.

FORCE CRM — the system that stores outreach metadata — runs in commercial AWS (us-east-1). It is intentionally separated from the GovCloud production environment that hosts customer compliance evidence. Outreach data is BD metadata, not regulated data, and the architectural separation ensures the two never co-mingle.

Activity log entries are SHA-256-hashed in a chain so that we can demonstrate, if asked, exactly when and how we contacted you. The same defensibility model FORCE uses for compliance evidence applies to our own outreach records.

Active records are retained for the life of the BD relationship. Opted-out records are retained as opt-outs (so we don't accidentally re-contact you) but no further outreach is sent. Both classes can be deleted on request.

United States: CAN-SPAM compliant. Outreach is B2B and uses public business-contact information. EU/UK: legitimate interest under GDPR Article 6(1)(f) for B2B contact with public commercial profiles, with opt-out honored immediately. CCPA: BigForgeOne does not sell personal information. Right-to-delete requests: email privacy@bigforgeone.com.

For anything not covered here: privacy@bigforgeone.com. Our privacy policy for product users (separate from outreach) is at /privacy.