How we secure your data
A security product has to be secure. This page covers the controls and practices behind Fortoxa — the same things we'd ask you to prove to us.
Last updated: 2026-04-19
Encryption in transit and at rest
All traffic uses TLS 1.2+ with modern cipher suites. Data at rest is encrypted with AES-256 at the storage layer. Secrets are never stored in source code or container images.
Least-privilege access
Human access to production is gated by SSO, MFA, short-lived credentials and audit logging. Engineers access customer data only on documented support tickets.
UK & EU data residency
Customer data is processed in UK/EU regions by default. See our subprocessors page for every third party that handles data and where.
Detection on our own stack
We use Fortoxa to monitor Fortoxa. Identity misuse, configuration drift, anomalous access and third-party compromise flow into the same detection pipeline you get as a customer.
Secure software development
Branch protection, mandatory review, dependency scanning, and automated static analysis gate every change. Production deploys are immutable, signed and reproducible.
Framework alignment
Our controls map to Cyber Essentials Plus, NCSC CAF, GDPR Article 32 and NIS2. The mapping is documented per framework on our compliance pages.
Found something?
Security researchers: please read our responsible disclosure policy before testing or reporting.
Customers with a security concern: contact [email protected] and we'll route it to the on-call engineer.
TODO — founder input required
- Registered entity name & Companies House number
- Registered office address
- Dedicated security contact ([email protected])