Trust Center
Trust is the foundation of public safety
Agencies trust ForceMetrics with some of the most sensitive data they hold. We take that responsibility seriously, and we believe you deserve to see exactly how we protect it.
Why this page exists
ForceMetrics was founded by law enforcement and cybersecurity professionals who spent their careers handling sensitive information. We know what's at stake when public safety data is mishandled, both for officers and departments and for the communities they serve.
This page is our standing commitment to transparency. Whether you're an agency evaluating us, a partner already using Velocity™, or a community member curious about how technology touches public safety, you'll find honest answers here.
“Our customers protect their communities. Our job is to protect them: their data, their workflows, and their trust. Anything less isn't good enough.”
Certification and compliance
Independent audits and recognized standards are the floor, not the ceiling. We pursue certifications that matter to the agencies we serve, and we're transparent about what each one means.
SOC 2 Certified
Independently audited against the AICPA's Trust Services Criteria for security.
CJIS Compliant
Our infrastructure, personnel, and processes meet the FBI's Criminal Justice Information Services Security Policy requirements for handling criminal justice information.
Continuous Auditing
We don't treat compliance as an annual event. Security controls are monitored continuously, and we undergo an independent external audit annually.
How we think about security
Public safety data isn't ordinary corporate data. A leak, a misuse, or an outage doesn't just create a business problem. It can affect investigations, officer safety, and the communities our customers serve. That weight informs every decision we make.
Defense in depth
No single control protects sensitive data. We layer encryption, network isolation, identity controls, and continuous monitoring so that a failure in one layer doesn't become a breach.
Least privilege by default
Access to customer data is restricted to the smallest possible set of personnel, granted only when needed, logged when used, and revoked when no longer required.
Encrypted everywhere
All data is encrypted in transit and at rest using FIPS-validated cryptographic modules. Customer data is logically separated, and encryption keys are managed through strict access controls and automated rotation.
Built for resilience
Redundant infrastructure, automated backups, and tested recovery procedures keep Velocity™ available when first responders need it most, including during incidents.
People, vetted and trained
Every employee with access to systems undergoes background checks, signs strict confidentiality agreements, and completes recurring security and privacy training.
Tested by external professionals
Penetration testing is performed on a regular schedule using qualified internal and independent external testers. Findings are tracked, fixed, and verified and we share summaries with customers under NDA.
Auditing and Oversight
Trust without verification is just hope. Our auditing approach is designed to give agencies, oversight bodies, and our own team confidence that policies aren't just written. They're followed.
What gets audited
- Access logs: access to and modifications of customer data are logged, retained, and reviewable
- System changes: code, infrastructure, and configuration changes are version-controlled and require peer review.
- Security controls: tested continuously by automated tools and periodically by independent auditors.
- Vendor relationships: every subprocessor is reviewed before onboarding and re-reviewed annually.
Customer audit rights
Agency customers can request our most recent SOC 2 report, penetration test summary, and CJIS compliance documentation under NDA. Larger customers can include audit rights in their contracts. We don't hide behind legal language. If your procurement team needs to verify something, we'll work with them.
How we communicate with our customers
The agencies we serve don't have time for vague update emails or buried disclosures. We aim to communicate the way we'd want a vendor to communicate with us.
When something goes wrong
If we experience a security incident that affects customer data, we notify affected customers directly and promptly and in accordance with contractual and regulatory requirements. We share what we know, what we don't yet know, what we're doing, and when to expect the next update.
Planned changes
Material changes to our security posture, subprocessors, data handling, or terms are communicated to customer points of contact in advance, not buried in a footer link.
Routine updates
Customers receive regular product and security updates through their dedicated success contact, our customer portal, and quarterly business reviews for enterprise accounts. Status and uptime are continuously available.
Questions, concerns, and feedback
Every customer has a named point of contact. If you ever feel that something we're doing, or not doing, deserves a closer look, you can reach us directly using the channels below. We'd rather hear it from you than read about it later.
Data handling & ownership
To be clear: your data is yours. Agencies retain full ownership of all data they bring to ForceMetrics. We process it on your behalf to make Velocity™ work, and nothing more.
- We do not sell customer data. Ever.
- We do not use customer data for any purpose beyond delivering and supporting the services described in our contract. Any expanded use requires explicit, written customer authorization.
- Customers control retention and deletion. When you leave, your data leaves with you.
- We respond to law enforcement requests for customer data only as legally required, and we notify affected customers whenever we are permitted to do so.
Responsible Disclosure
Security researchers who identify vulnerabilities in our products help us protect our customers. We welcome that work and commit to responding promptly, treating researchers respectfully, and not pursuing legal action against good-faith research conducted under our disclosure policy.
To report a suspected vulnerability, review our Responsible Security Disclosure Policy and contact us with details through our contact form. We aim to acknowledge reports within two business days.
Talk to us about security
Procurement questions, audit requests, or just want to understand how we'd handle your agency's data? We're listening.