[TBD: SOC 2 status — replace with one of: "Fortress is SOC 2 Type II certified as of <date>." | "Fortress is currently in audit for SOC 2 Type II, targeting <quarter year>." | "SOC 2 certification is on our roadmap for <quarter year>; we follow SOC 2 control principles operationally in the meantime."]

[TBD: ISO 27001 status — replace with current state. If not yet pursued, say so plainly: "Not yet pursued. We follow ISO/IEC 27001 control practices operationally."]

Yes. Fortress Cyber processes customer data in accordance with the EU General Data Protection Regulation. We support data subject access requests, deletion requests, and breach notification within the required timeframes. EU customer data is hosted in EU regions where requested. Contact security@fortresscyber.io for the current Data Processing Agreement.

Fortress' GRC module maps controls to NIS2 and DORA requirements, helping MSPs in scope evidence compliance to auditors. Fortress acts as a processor on customer data and supports the contractual terms NIS2 and DORA require of critical ICT service providers.

[TBD: data residency — replace with the actual Neon Postgres region(s) you use, e.g.: "Customer data is stored in Neon Postgres in <AWS US East / EU West>. EU-residency is available on request for European customers."]

Data is encrypted at rest by Neon (AES-256) and in transit via TLS 1.2+ across all endpoints. The fortresscyber.io domain enforces HTTPS exclusively and is fronted by Cloudflare with HSTS enabled.

Fortress relies on the following third parties to operate the Channel Enablement OS: Vercel (frontend and serverless API hosting), Neon (Postgres database), Cloudflare (DNS, WAF, edge protection), Mailtrap (transactional email), PostHog (product analytics), Google (OAuth for customer sign-in where applicable). The current sub-processor list is available on request to security@fortresscyber.io; we provide 30-day notice before adding new sub-processors that process customer data.

Access to customer data is restricted to Fortress employees with a documented operational need, granted under principle of least privilege, and reviewed quarterly. All production access requires MFA, all access is logged, and audit logs are retained for [TBD: retention period — typically 12 months]. We do not sell, share, or use customer data for any purpose other than delivering the Fortress service.

[TBD: SSO/MFA status — replace with what you actually support today, e.g.: "Fortress requires MFA for all admin accounts and supports SAML SSO via <Okta / Azure AD / Google Workspace> on Business and Enterprise plans."]

Fortress maintains a documented incident response process. Confirmed security incidents are detected via MerlinAI cross-tenant telemetry and our internal monitoring stack. Affected customers are notified within [TBD: SLA — typically 24-72 hours] of confirmed incident classification, with detail, mitigation, and remediation steps. Post-incident reports are shared with affected customers within 14 days.

Email security@fortresscyber.io with details, reproduction steps, and impact. We acknowledge reports within 2 business days. Researchers acting in good faith are protected from legal action under our safe-harbor terms. See /.well-known/security.txt for the canonical contact and policy URLs.

[TBD: bug bounty — replace with current state, e.g.: "Not yet. We accept private vulnerability reports via security@fortresscyber.io and acknowledge accepted reports on request." | "Yes — see <bug bounty URL> for scope and reward tiers."]

[TBD: retention — replace with actuals, e.g.: "Active tenant data is retained for the lifetime of the customer relationship. Upon termination, data is purged within 30 days unless legal hold applies. Audit logs are retained for 12 months. Backup snapshots are retained for 35 days."]

Yes. Our standard DPA is available on request to security@fortresscyber.io and is signed pre-contract for all EU customers and any customer processing EU resident data through the platform.