Get in touch

Security & Data Protection

Built for regulated industries, from the ground up

Protection for your customers' data. Built in.

Certifications

GDPR Compliant · ISO 27001

White text 'GDPR' inside a dark blue circle.

GDPR Compliant

Fortify is fully compliant with the General Data Protection Regulation and UK GDPR. Our data architecture is designed to minimise the scope of personal data processing, reducing your compliance exposure from the outset.

White text ISO 27001' inside a dark blue circle.

ISO 27001

Our Information Security Management System is independently audited against ISO 27001, with annual surveillance reviews.

White text 'FCA & PRA' inside a dark blue circle.

FCA and PRA alignment

Fortify is built for regulated financial institutions. The platform supports the governance, auditability, and operational resilience standards expected by UK regulators.

Security practices

  • 01

    Security practices

    Security is a foundation, not a feature. Every component follows least-privilege principles and every change goes through peer review, automated static analysis, and a formal security review before release.

  • 02

    Penetration tested

    We commission independent third parties to conduct penetration testing and vulnerability assessments at least annually. Findings are remediated by severity. Test summaries are available on request.

  • 03

    Data encryption

    Data at rest is protected using AES–256 encryption. All data in transit is encrypted using TLS 1.2 or higher, without exception.

  • 04

    Network security

    All traffic is encrypted using secure, industry-standard protocols. Our network is continuously monitored for anomalous activity, and every alert is investigated and resolved.

  • 05

    API security

    Fortify API endpoints enforce authentication and authorisation where appropriate, so that each request is permitted only the actions the calling identity is entitled to. Rate limiting and request validation are applied across all endpoints.

  • 06

    Secure authentication

    Fortify supports SSO via Okta, Azure Active Directory, Google Workspace, and other major identity providers. Multi–factor authentication is supported and recommended for all users.

  • 07

    Application security

    We continuously monitor our codebase and dependencies for vulnerabilities, with automated scanning for known CVEs and a defined remediation process based on criticality.

  • 08

    Internal access controls

    Access to internal systems requires MFA and follows least–privilege principles. Permissions are reviewed regularly and revoked immediately on role change or departure. All staff complete mandatory security training.

Data, privacy & sub–processors

Your data stays in your environment

Where supported, Fortify runs directly inside your existing data warehouse – processing happens within your own perimeter without data needing to move to an external system.

Data residency

Fortify does not move or replicate customer data outside your agreed environment. Residency is determined by your own infrastructure configuration.

Privacy

Fortify acts as a data processor under UK and EU GDPR. We process personal data on your instructions only, for no secondary purpose, and never for model training or commercial use.

Sub–processors

We use a small number of sub–processors to operate the platform. Our current list is maintained and updated, with advance notice given of any material changes.

Responsible AI for regulated industries

AI you can defend – built for environments where decisions must be justified, reviewed, and audited.

Fortify is designed from the ground up for regulated workflows. Every output is backed by clear reasoning, linked evidence, and a complete audit trail – so your team can move faster without sacrificing rigour or accountability.

  • Explainability built in

    Every result includes the underlying logic, data sources, and query path. Analysts can inspect, validate, and reproduce outcomes at any time.

  • Human-led, AI assisted

    AI informs decisions; your team makes them. Judgement and accountability always stay with your analysts.

  • Full audit trail, by default

    Every model inference and AI-assisted action is automatically logged – who initiated it, when, how it was generated, and which data was used.

  • Evidence you can trace, end-to-end

    From initial signal to final outcome, every step is linked and reviewable – supporting internal governance and external regulatory scrutiny.

  • Your data stays yours

    Customer data is never used to train shared models or improve other customers' systems.

Questions about our security practices?

We're happy to support your vendor assessment process. Documentation available on request includes our DPA, ISO 27001 certificate, pen test summary, and AI model cards.

To report a vulnerability, contact security@wearefortify.ai. We acknowledge all reports within two working days.