01 Certifications and alignments
Four active ISO certifications verified by third-party body, in addition to operational alignment with the main European regulatory frameworks.
Information Security Management
Information security management system. Annual audit, surveillance every 12 months.
Quality Management
Quality management system. Reference for operational processes and governance.
Environmental Management
Environmental management system. Measurement and reduction of services environmental impact.
Occupational Health & Safety
Occupational health and safety management system. Protection of operational personnel.
Regulatory alignments
Posture aligned to requirements for essential and important entities. Support for the 24/72h national CSIRT notification process.
Operational on Digital Operational Resilience Act requirements for the European financial sector.
Full alignment. Structured DPA (Art. 28) for every customer. DPIA on request.
Aligned with ENISA guidelines on minimum baseline for cybersecurity and national cyber perimeter.
02 Data residency
All operational data (SOC telemetry, customer logs, contact data) is kept in data centres located in the European Union, primarily in Italy and other EU member states. No critical data is replicated outside the EU. The personnel accessing the data is fully European and operates from the Milan headquarters.
Controlled exceptions: web font loading (no PII) and — only with explicit user consent — analytics and marketing pixels. Any extra-EU transfers occur exclusively under Standard Contractual Clauses (SCC 2021/914) and, where applicable, EU-US Data Privacy Framework.
Specific vendors under NDA. The detailed list of infrastructure providers, regions used and DPAs is available in the sub-processor list below and — in signed version — on request to info@fortgale.com.
03 Sub-processor list
List of external data processors (GDPR Art. 28) used to deliver services. Updated to 5 May 2026. We notify customers with active DPAs at least 30 days before any substantial change.
| Provider | Purpose | Region | Contract |
|---|---|---|---|
| Microsoft Ireland Operations Ltd | Email, Teams, SharePoint, Bookings | EU (Ireland · NL) | Microsoft DPA · Online Services Terms |
| EU IaaS provider (under NDA) | Web hosting, staging and production environments | EU | DPA + SCC 2021/914 |
| Google Ireland Limited | Google Fonts (typography CDN) | EU + US | Google DPA + SCC + EU-US DPF |
| LinkedIn Ireland Unlimited | Insight Tag (consent only) | EU + US | LinkedIn DPA + SCC |
| Plausible Insights OÜ | Privacy-first analytics (no PII) | EU | Plausible DPA EU-only |
04 Public SLA
The values shown are service objectives applicable on active retainer contracts and measured over the last 12 months. Customer-specific contractual SLAs are defined in the relevant Service Agreement.
05 Security posture
Technical and organisational measures adopted to protect confidentiality, integrity, availability and resilience of systems (GDPR Art. 32 · ISO 27001 Annex A controls).
Encryption
TLS 1.3 in transit · AES-256 at rest · key management on Microsoft HSM.
Access
Zero Trust · multi-factor authentication · just-in-time access · tracked break-glass.
Monitoring
Centralised logs · 24/7 SOC monitoring · 12+ months retention.
Backup
Redundant backups · periodic DR test.
Vulnerability mgmt
Continuous scanning · annual pentest · differentiated patching SLA (P1 < 48h).
Personnel
Permanent NDA · semi-annual cyber training.
06 Responsible disclosure
If you have found a vulnerability in our systems (website, infrastructure, product), we ask you to follow our coordinated disclosure procedure.
Contact us immediately
Email info@fortgale.com with description, technical PoC and your contacts. PGP encryption available on request.
We respond within 48 hours
Receipt confirmation, initial classification, ETA for fix. We triage every report, even if it doesn't fall within our perimeter.
Coordinated disclosure
We agree on the disclosure window (typically 90 days after the fix). We acknowledge you publicly in the hall of thanks if you wish.
What not to do: unauthorised access attempts to third-party data, DDoS, social engineering of personnel, data destruction. We operate in safe harbor with researchers acting in good faith.
07 Downloadable documents
Documentation available publicly or on request (some after NDA signature).
08 Security contacts
For technical security questions, vendor onboarding, due diligence:
Responsible disclosure, vendor security questionnaire, SOC2/CAIQ.
Exercise of GDPR rights, DPA, DPIA, sub-processor change requests.
