FortisOne GRC Data Security and Privacy Policy
Version 1.0 | Effective Date: November 2025
1. Definitions
Capitalized terms used herein have the meanings given below or if not defined below, the meanings given in the applicable written contract between FortisOne and Client for the FortisOne Services.
Client – is the entity to which FortisOne is providing the FortisOne Services under a FortisOne Services Agreement or Statement of Work.
Components – are the application modules, platform features, infrastructure elements, or managed services of FortisOne GRC that FortisOne operates and manages.
Content – consists of all governance, risk, and compliance data, assessment responses, documentation, audit artifacts, and other information that Client or its authorized users provide, authorize access to, or input to FortisOne Services.
FortisOne GRC – is our cloud-based and on-premise deployable governance, risk, and compliance platform offering platform-as-a-service (PaaS) or software-as-a-service (SaaS) capabilities for compliance management, risk assessment, and regulatory reporting.
FortisOne Services – are (a) FortisOne GRC platform offerings delivered via cloud or on-premise deployment, (b) managed compliance services, assessment administration, and compliance automation services that FortisOne delivers and customizes for a Client, and (c) any other services, including implementation, consulting, maintenance, training, or support, that FortisOne provides to a Client.
Security Incident – is an unauthorized access, unauthorized use, or unauthorized modification of Content or FortisOne Services that compromises the confidentiality, integrity, or availability of such Content or Services.
Services Document – is a statement of work, service description, data processing agreement, ordering document, or service specification that details the specifics of FortisOne Services, including scope, compliance requirements, security commitments, service levels, and data handling obligations. There may be more than one Services Document applicable to an engagement.
2. Overview
The technical and organizational measures provided in this Privacy Policy apply to FortisOne Services only where FortisOne has expressly agreed to comply with this Policy in a written contract between FortisOne and Client.
2.1 Shared Responsibility Model
Client is responsible for determining whether FortisOne Services are suitable for Client's use case and compliance requirements, and for implementing and managing security and privacy measures for components, systems, applications, and data that FortisOne does not provide or manage. Client responsibilities include:
Security of Client's network infrastructure, endpoints, and systems that connect to FortisOne Services
Compliance assessment design, questionnaire creation, and risk classification frameworks
End-user access control, authentication mechanisms, and application-level security configuration for FortisOne Services
Management of third-party integrations and API connections to external systems
Backup and recovery of Client data outside of FortisOne-provided backup mechanisms
Validation that data processed within FortisOne Services complies with Client's contractual, regulatory, and internal governance requirements
FortisOne is responsible for:
Security of FortisOne Infrastructure Components supporting the delivery of FortisOne Services
Data encryption, access controls, and logical isolation of Client Content
Secure transmission and storage of Content
Incident response, investigation, and notification
Compliance with agreed-upon security standards, certifications, and applicable data protection regulations.
2.2 Policy Updates
Client acknowledges that FortisOne may modify this Privacy Policy from time to time at FortisOne's sole discretion, and such modifications will replace prior versions as of the date that FortisOne publishes the modified version. The intent of any modification will be to:
Improve or clarify existing commitments and capabilities
Address evolving cybersecurity threats and data protection requirements
Maintain alignment with current adopted security standards and applicable laws
Provide additional features, functionality, or compliance capabilities
Modifications will not degrade the security or data protection features or functionality of FortisOne Services. Material changes will be communicated to Client with reasonable notice.
2.3 Policy Hierarchy
In the event of any conflict between this Privacy Policy and a Services Document, the Services Document will prevail. Specific commitments documented in a Data Processing Agreement or written contract will supersede general provisions herein.
3. Data Protection and Classification
3.1 Data Confidentiality
FortisOne will treat all Content as confidential and will not disclose Content except to:
FortisOne employees and authorized contractors
Subprocessors and technology partners, only to the extent necessary to deliver the FortisOne Services
Law enforcement or regulatory authorities, only when legally required and with appropriate legal review
Disclosure of Content will be limited to the minimum extent necessary to deliver the FortisOne Services and will be subject to written confidentiality obligations.
3.2 Security and Privacy by Design
Security and privacy measures for FortisOne Services are implemented in accordance with industry-recognized security and privacy by design practices to:
Protect Content processed by FortisOne Services
Maintain the confidentiality, integrity, and availability of such Content
Comply with the technical and organizational requirements specified in the written contract between FortisOne and Client
3.3 Data Classification and Handling
FortisOne recognizes that Client Content may include sensitive information such as:
Regulatory compliance assessments and audit findings
Risk register data and threat assessment information
Control effectiveness ratings and remediation plans
Sensitive organizational policies and governance artifacts
FortisOne will implement enhanced protections for Content marked as sensitive or classified by Client, including encrypted storage, restricted access, and audit logging of all access events.
3.4 Service-Specific Documentation
Additional security and privacy information specific to FortisOne Services may be provided in relevant Services Documents, security datasheets, compliance certificates, or documentation available at Client request. Such information may include:
Evidence of stated certifications and accreditations (ISO 27001, SOC 2, GDPR adequacy, etc.)
Data residency and geographic hosting information
Subprocessor and third-party vendor lists
Technical architecture diagrams and data flow documentation
Encryption and key management specifications
4. Security Governance and Policies
4.1 Security Policy Framework
FortisOne will maintain and follow documented information security policies and practices that are integral to FortisOne's operations and mandatory for all employees with access to Client Content or FortisOne Infrastructure Components. FortisOne's Chief Information Security Officer (CISO) will maintain executive responsibility and oversight for such policies, including:
Formal policy governance and version management
Security requirement updates and amendment procedures
Employee security education and training programs
Compliance monitoring and enforcement
4.2 Annual Policy Review
FortisOne will review its information security policies at least annually and amend such policies as deemed necessary to maintain protection of FortisOne Services, Components, and Client Content in response to:
Emerging threats and vulnerabilities in the compliance and cybersecurity landscape
Regulatory changes and new data protection requirements
Technology evolution and infrastructure updates
Audit findings and compliance assessments
4.3 Personnel Security and Background Verification
FortisOne will maintain and follow standard, mandatory employment verification and background screening requirements for all new hires, contractors, and subprocessors who may access Client Content or FortisOne Infrastructure. Such requirements include, but are not limited to:
Criminal background checks and history verification
Identity validation and credential verification
Employment history and reference checks
Additional screening as deemed necessary by FortisOne's Human Resources and Security teams
Background screening requirements will be reviewed at least annually and adjusted to align with evolving risk profiles.
4.4 Employee Security Training and Awareness
All FortisOne personnel with access to Client Content or FortisOne Components will:
Complete FortisOne's security and privacy training at hire and annually thereafter
Complete data protection and regulatory compliance training relevant to their role
Certify annually their understanding of and commitment to compliance with FortisOne's confidentiality, security, and ethical business conduct policies
Receive additional role-specific security training appropriate to their level of system access and responsibilities
Personnel granted privileged or administrative access to Components, infrastructure, or Client environments will receive enhanced training covering:
Access control principles and role-based security policies
Data handling and confidentiality obligations
Incident reporting and response procedures
Logging, monitoring, and audit procedures
5. Compliance and Certifications
5.1 Independent Certification and Audits
FortisOne GRC platform components will be subject to third-party security and compliance assessments and certifications, including:
Annual ISO 27001 certification for information security management systems
Annual SOC 2 Type II audit and certification for cloud services security and availability
Annual GDPR and data protection regulatory assessments
Industry-specific compliance certifications as specified in relevant Services Documents
5.2 Service-Specific Compliance
FortisOne will maintain compliance and accreditation for FortisOne Services as defined in the applicable Services Document, including support for specific regulatory frameworks such as:
ISO 27001, ISO 27002 (Information Security Standards)
UAE Data Protection Regulation, NESA Cybersecurity Requirements
UK Data Protection Act 2018 (GDPR Compliance)
GDPR and international data protection standards
SOX and financial services compliance frameworks
Industry-specific standards relevant to Client's sector
5.3 Audit Evidence and Transparency
Upon Client request, FortisOne will provide evidence of compliance and certification, including:
Current certificates of certification and accreditation
Audit attestations and security assessment reports
SOC 2 reports (available under NDA and appropriate access controls)
Compliance matrices mapping FortisOne capabilities to applicable frameworks
Subprocessor compliance documentation and certifications
Third-party audits will be conducted annually or at the frequency required by the relevant standard, by accredited independent audit firms.
5.4 Subprocessor Accountability
FortisOne is responsible for security and data protection measures, including data security and privacy requirements, even when FortisOne uses contractors, subprocessors, or third-party technology vendors in the delivery or support of FortisOne Services. FortisOne will:
Enter written Data Processing Agreements with all subprocessors
Verify subprocessor compliance with applicable data protection standards
Maintain accountability and oversight of subprocessor security practices
Notify Client of material changes to subprocessors or their security practices
6. Incident Response and Breach Management
6.1 Incident Response Framework
FortisOne will maintain and follow documented security incident response policies consistent with:
National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST SP 800-61 Computer Security Incident Handling Guide
Industry best practices for incident response and remediation
Applicable legal requirements for data breach notification
6.2 Security Incident Investigation
Upon discovery of a suspected Security Incident affecting Client Content or FortisOne Services, FortisOne will:
Immediately initiate an investigation within the scope of FortisOne Services
Define and execute an appropriate incident response and remediation plan
Preserve forensic evidence and log data for analysis
Document all investigation findings and remediation activities
Communicate progress to Client at agreed-upon intervals
6.3 Incident Notification
Client may report suspected vulnerabilities or security incidents to FortisOne through:
The incident reporting process specific to the FortisOne Service (as detailed in the Services Document or platform user interface)
FortisOne's technical support portal or ticketing system
Direct communication with FortisOne's Security team
FortisOne will notify Client without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by FortisOne to affect Client. FortisOne will provide Client with:
A description of the Security Incident, including the nature and scope of unauthorized access or use
Details of Client Content or Services potentially affected
Timeline of discovery and investigation
Remediation steps undertaken and anticipated completion
Recommendations for Client mitigating actions
Such notification will be in accordance with applicable data breach notification laws and the terms of the written contract between FortisOne and Client.
7. Physical Security and Facility Access Control
7.1 Physical Perimeter Security
FortisOne will maintain appropriate physical entry controls to protect FortisOne-managed infrastructure facilities (data centers, server rooms, and operational facilities) against unauthorized physical access. Controls include:
Perimeter barriers, fencing, and access control gates
Card-controlled access points and keypad entry systems
Surveillance cameras and closed-circuit television (CCTV) monitoring
Manned reception desks and visitor verification procedures
Auxiliary entry points, including delivery areas, loading docks, and service entrances, will be controlled and physically isolated from computing resources and production infrastructure.
7.2 Access Control and Logging
Access to FortisOne-managed facilities and controlled areas within those facilities will be:
Limited by job role, organizational function, and principle of least privilege
Subject to documented authorization and approval procedures
Logged and recorded with audit trails maintained for not less than one year
Reviewed periodically and updated to reflect personnel changes
Upon separation of an authorized employee or termination of a contractor, FortisOne will follow formal documented separation procedures including:
Immediate removal from access control lists and systems
Surrender of physical access badges, keycards, and credentials
Revocation of electronic access permissions
Verification that all physical access has been terminated
7.3 Visitor and Temporary Access
Any person granted temporary permission to enter FortisOne facilities or controlled areas will:
Register upon arrival and provide valid photo identification
Receive a visitor badge or temporary access credentials
Be escorted by authorized FortisOne personnel at all times
Have their access logged and restricted to the minimum necessary areas
Temporary access, including deliveries, maintenance work, and vendor services, will be:
Scheduled in advance and documented in an access request
Approved by authorized FortisOne personnel before entry
Supervised and monitored during the visit
Revoked immediately upon task completion
7.4 Environmental Protection
FortisOne will maintain environmental controls and protections at managed data centers to safeguard physical infrastructure against:
Extreme ambient temperature conditions and climate deviations
Fire, smoke, and explosion risks
Flooding, water damage, and moisture infiltration
Humidity and static electricity risks
Theft, unauthorized removal, and physical tampering
Vandalism and deliberate physical damage
Environmental controls include fire suppression systems, temperature and humidity monitoring, backup power systems, and security monitoring.
8. Logical Access, Encryption, and Data Transfer Control
8.1 Security Architecture and Network Segmentation
FortisOne will maintain and document a security architecture for all Components supporting the delivery of FortisOne Services. The security architecture will include:
Detailed system and network design documentation
Measures designed to prevent unauthorized network connections to systems, applications, and network devices
Network segmentation and isolation between production and non-production environments
Defense-in-depth principles with multiple layers of security controls
Secure configuration baselines and hardening standards
Prior to implementation, FortisOne will separately review the security architecture for compliance with secure segmentation, isolation, and defense-in-depth standards.
8.2 Wireless Network Security
FortisOne may use wireless networking technology in maintenance and support of FortisOne Services and associated Components. Such wireless networks, if used, will:
Use industry-standard encryption protocols (e.g., WPA3 or equivalent)
Require secure authentication mechanisms and strong credentials
Not provide direct access to production FortisOne GRC networks or Client Content
Be segregated from production infrastructure by network firewalls and access controls
FortisOne production environments and cloud-based data centers will not use wireless networking technology to access Client Content or production systems.
8.3 Logical Data Separation and Isolation
FortisOne will maintain technical and logical measures designed to:
Separately isolate and prevent Client Content from being exposed to or accessed by other clients or unauthorized persons
Maintain appropriate isolation between production environments (hosting live Client data) and non-production environments (used for testing, development, and error reproduction)
Implement encryption and access controls to enforce multi-tenancy security boundaries
When Client Content is transferred to a non-production environment at Client's request (e.g., to reproduce an error or for testing), security and privacy protections in the non-production environment will be equivalent to those in production, including:
Equivalent encryption and access controls
Equivalent audit logging and monitoring
Restricted access to authorized personnel only
Automated cleanup and data purging upon completion
8.4 Data Encryption in Transit
FortisOne will encrypt Client Content not intended for public or unauthenticated viewing when transferring such Content over public networks. FortisOne will enable and support use of industry-standard cryptographic protocols for secure data transfer, including:
HTTPS/TLS for web-based access (with TLS 1.2 or higher)
SFTP (SSH File Transfer Protocol) for file transfers
FTPS (FTP over SSL/TLS) for legacy file transfer requirements
Industry-standard VPN protocols for network-level encryption
Client may request and will be provided with the ability to use secure transfer mechanisms for uploading and downloading Content to and from FortisOne Services.
8.5 Data Encryption at Rest
FortisOne will encrypt Client Content at rest in accordance with specifications detailed in the applicable Services Document. If FortisOne provides management of cryptographic keys and encryption infrastructure, FortisOne will maintain documented procedures for:
Secure key generation and initialization
Key issuance and distribution to authorized systems and personnel
Key storage and hardware security module (HSM) management
Key rotation at defined intervals
Key revocation and deactivation procedures
Key recovery, escrow, and backup procedures
Secure key destruction and decommissioning
Access control and audit logging of key management operations
Compliance with NIST SP 800-57 and industry standards for key management
8.6 Privileged Access Management
If FortisOne requires access to Client Content or underlying Components to provide FortisOne Services, such access will be:
Restricted to the minimum level required for service delivery and support
Individual and role-based, with unique identification for each user
Subject to prior written authorization and periodic validation by authorized FortisOne personnel
Implemented in accordance with the principle of segregation of duties
Limited to appropriately trained and vetted personnel
FortisOne will:
Maintain centralized systems to identify and manage all users and accounts with privileged access
Regularly review and remove redundant, inactive, and dormant accounts with elevated privileges
Promptly revoke privileged access upon employee separation or upon request by authorized managers
Document all privileged access assignments and changes
Audit usage of all privileged accounts
8.7 Authentication and Session Management
FortisOne will implement technical measures to enforce:
Strong password and passphrase authentication requirements (minimum complexity, length, and history)
Multi-factor authentication for any users with administrative or privileged access
Automatic timeout of inactive user sessions after defined periods of inactivity
Account lockout after multiple sequential failed login attempts
Regular password change requirements and expiration policies
Secure transfer and hashed storage of passwords using industry-standard algorithms
8.8 Monitoring of Privileged Access
FortisOne will maintain security information and event management (SIEM) capabilities and comprehensive logging designed to:
Identify unauthorized access attempts and anomalous user activity
Detect and alert on suspicious or unauthorized activities
Facilitate timely and appropriate incident response
Enable internal and independent third-party audits of compliance with documented policies
Support forensic investigation of security incidents
8.9 Log Retention and Protection
Logs recording privileged access and activity will be retained in compliance with FortisOne's records management policies and applicable legal retention requirements (minimum one year). FortisOne will maintain technical measures designed to protect logs against:
Unauthorized access or viewing
Modification or tampering
Accidental deletion or loss
Deliberate destruction
9. Service Integrity, Availability, and Continuity
9.1 Security Risk Assessments and Testing
FortisOne will:
Perform comprehensive security and privacy risk assessments of FortisOne Services at least annually
Perform security testing and vulnerability assessments of FortisOne Services prior to production release and at least annually thereafter
Engage qualified independent third-party security firms to perform penetration testing of FortisOne Services at least annually
Perform automated vulnerability scanning of underlying Components, infrastructure, and applications against industry security configuration best practices and benchmarks
Remediate identified vulnerabilities based on associated risk level, exploitability, and potential business impact
Take reasonable steps to avoid disruption to production FortisOne Services and Client operations when performing security testing, assessments, and remediation activities
9.2 Security Patch and Update Management
FortisOne will:
Maintain documented procedures to assess, test, and apply security advisory patches and critical updates
Apply security patches to FortisOne Services, underlying infrastructure, applications, and Components within the defined support scope
Upon determining that a security advisory patch is applicable and necessary, implement the patch according to documented severity and risk assessment guidelines
Prioritize patch implementation based on Common Vulnerability Scoring System (CVSS) ratings and assessed business impact
Implement patches subject to FortisOne's change management policy to minimize service disruption
9.3 Change Management
FortisOne will maintain formal policies and procedures designed to manage risks associated with changes to FortisOne Services, infrastructure, and Components. Prior to implementation, all changes will be:
Documented in a registered change request including:
Detailed description of the change and business justification
Technical implementation details and schedule
Risk assessment addressing potential impacts to FortisOne Services and Client operations
Expected outcomes and success criteria
Rollback and recovery procedures
Documented approval by authorized FortisOne personnel and stakeholders
Changes will be tested in non-production environments before production deployment, and deployment windows will be communicated to Clients where applicable.
9.4 Asset Management and Infrastructure Monitoring
FortisOne will:
Maintain a comprehensive inventory of all information technology assets used in the operation and delivery of FortisOne Services, including hardware, software, networks, and applications
Continuously monitor and manage the health, performance, capacity utilization, and availability of FortisOne Services and underlying Components
Implement proactive alerting and automated remediation for infrastructure anomalies, capacity thresholds, and service degradation
Document and track lifecycle management of IT assets from acquisition through disposal and decommissioning
9.5 Business Continuity and Disaster Recovery
Each FortisOne Service will be separately assessed for business continuity and disaster recovery requirements through appropriate business impact analysis (BIA) and risk assessments. Such assessments will:
Identify critical business functions and data supporting each FortisOne Service
Evaluate potential impact and duration of service outages
Prioritize recovery objectives based on business importance
Establish recovery point objectives (RPO) and recovery time objectives (RTO)
Each FortisOne Service will have, to the extent warranted by such risk assessments:
Separately defined, documented, and maintained business continuity and disaster recovery plans
Annually validated plans with documented testing and revision procedures
Defined backup and redundancy mechanisms across geographically diverse facilities
Automated failover capabilities where feasible
Documented procedures for activation and communication during incident response
Recovery point and time objectives for each FortisOne Service will be established with consideration given to:
Service architecture and infrastructure design
Intended use cases and criticality to Client business operations
Applicable regulatory and contractual requirements
Cost-benefit analysis of recovery capabilities
9.6 Data Backup and Secure Disposal
FortisOne will:
Maintain automated backup procedures for all Client Content at defined frequencies (minimum daily)
Store backup copies in geographically diverse locations to protect against regional outages or disasters
Encrypt all backup files and physical media at rest using industry-standard encryption
Encrypt physical media intended for off-site transport and storage
Securely test backup restoration procedures at least annually to verify data integrity and recovery capabilities
Securely sanitize or destroy physical media no longer in use in accordance with NIST guidelines for media sanitization, including:
Physical destruction (shredding, incineration, disintegration)
Cryptographic erasure and degaussing
Documentation of destruction and certification
Upon Client request or contract termination, FortisOne will securely delete or return all Client Content within a defined timeframe in accordance with Data Protection regulations.
10. Third-Party Management and Subprocessors
10.1 Subprocessor Vetting and Oversight
FortisOne works with carefully selected technology partners, hosting providers, and subprocessors to deliver FortisOne Services. Prior to engagement, all subprocessors will be:
Assessed for security, compliance, and data protection maturity
Required to enter written Data Processing Agreements incorporating applicable data security and privacy obligations
Verified to maintain appropriate security certifications and accreditations
Subject to contractual requirements that they maintain confidentiality of Client Content
10.2 Subprocessor List and Changes
FortisOne maintains a current list of subprocessors used in the delivery of FortisOne Services, available at Client request. Client will be notified of:
Addition of new subprocessors with reasonable advance notice
Removal or replacement of existing subprocessors
Material changes to a subprocessor's security or compliance practices
11. Client Rights and Obligations
11.1 Data Subject Rights
Where Client Content includes personal data subject to data protection regulations (GDPR, UK Data Protection Act, UAE NESA, etc.), FortisOne will:
Support Client's ability to fulfill data subject access requests and other regulatory obligations
Cooperate with Client and regulatory authorities in data protection impact assessments (DPIAs) and compliance verifications
Provide data portability assistance to enable Client to retrieve and transfer Client Content upon request or termination
11.2 Audit and Compliance Rights
Client may request:
Evidence of FortisOne's compliance with this Privacy Policy and applicable security standards
Access to audit reports, compliance certificates, and third-party assessment results
On-site or remote security audits of FortisOne infrastructure and processes
Responses to security and compliance questionnaires
Detailed audit procedures and limitations on inspection access will be specified in the Services Document.
11.3 Limitation of Liability
Notwithstanding anything herein, neither party will be liable for any indirect, consequential, special, incidental, or punitive damages, including lost profits or revenue. Each party's total liability will be limited to the fees paid by Client for the applicable FortisOne Services in the twelve months preceding the claim, except in cases of gross negligence, willful misconduct, or violations of data protection law.
12. Term, Termination, and Transition
12.1 Policy Effective Period
This Privacy Policy is effective from the Effective Date listed above and continues until superseded by an updated version. Client agreements executed after policy updates will be governed by the updated policy terms.
12.2 Termination and Data Return
Upon termination or expiration of the Services Agreement:
FortisOne will, at Client's option and expense, securely transfer, export, or return all Client Content to Client
FortisOne will securely delete or destroy all copies of Client Content remaining in FortisOne systems within a defined timeframe (typically 30-90 days unless otherwise specified)
FortisOne will provide written certification of data deletion upon completion
12.3 Survival
Client's obligations regarding confidentiality and non-use of FortisOne intellectual property, and FortisOne's representations regarding security and compliance will survive termination of the Services Agreement.
13. General Provisions
13.1 Regulatory Compliance
FortisOne will comply with all applicable laws and regulations regarding data protection, cybersecurity, privacy, and security incident notification in jurisdictions where FortisOne Services are delivered.
13.2 Entire Agreement
This Privacy Policy, together with the applicable Services Document and Services Agreement, constitutes the entire agreement between FortisOne and Client regarding data security and privacy for FortisOne Services.
13.3 Amendment
FortisOne may amend this Privacy Policy at any time with written notice to Client. Material changes will be provided with at least 30 days' advance notice. Client's continued use of FortisOne Services after notice constitutes acceptance of the updated terms.
13.4 Contact Information
For privacy-related inquiries, data subject requests, or security concerns, Client should contact:
FortisOne GRC Security and Privacy Team
Email: legal@fortisone.eu | legal@cyberfortis.co.uk
Document Version: 1.0
Last Updated: November 2025
Next Review Date: November 2026
This Privacy Policy is confidential and proprietary to FortisOne and is provided to Clients under the applicable Services Agreement. Unauthorized reproduction, distribution, or use is prohibited.