Built to keep your edge yours.

Forven is a local-first research tool. The design goal is simple: the things that make your research valuable — your strategies, your data, and your keys — should stay under your control.

Local by default

Strategies, market data, and gauntlet runs live on your own machine. They are not uploaded to Forven and are not required to leave your device for the core lab, daemon, and backtesting to work.

Your keys never leave your machine

Exchange API keys and LLM (model) API keys are bring-your-own. They are stored locally by the desktop app and used to talk directly to those providers from your machine. Forven does not transmit, proxy, or store your trading or model keys on our servers.

Accounts and device linking

Your account exists only to manage beta access and link devices. We use passwordless sign-in (magic link or Google), so there is no password for us to store or leak. Each linked device gets its own token that you can revoke at any time from your account page. Linking uses a short-lived 8-character code that expires minutes after it is generated.

Transport and hardening

The website and account service are served over HTTPS with HSTS, and we set standard hardening headers (no framing, no MIME sniffing, a strict referrer policy). Authentication cookies are the only cookies we set, and they are strictly necessary.

The installer

During beta the Windows installer is not yet code-signed, so Windows may show a SmartScreen “unknown publisher” prompt. Always download Forven from forven.app/download or our official GitHub releases, and verify the release there before installing.

Reporting a vulnerability

Found a security issue? We want to hear about it. Email security@forven.app with details and steps to reproduce. Please give us a reasonable chance to fix it before public disclosure. We do not currently run a paid bounty during beta, but we credit reporters who want it.