Trust Center · due diligence vendor

Tout ce que votre CISO demanderait.

Certifications en direct, liste des sous-traitants, résidence des données, SLA publics, posture sécurité et procédure responsible disclosure. Une seule page pour accélérer la due diligence de ceux qui évaluent Fortgale comme fournisseur.

4Certifications ISO
UE uniquementRésidence des données core
30 minRéponse IR · 24/7
≤ 24hRéponse sécurité

01 Certifications and alignments

Four active ISO certifications verified by third-party body, in addition to operational alignment with the main European regulatory frameworks.

ISO/IEC 27001

Information Security Management

Information security management system. Annual audit, surveillance every 12 months.

Validity · 2024-2027 PDF →
ISO 9001

Quality Management

Quality management system. Reference for operational processes and governance.

Validity · 2024-2027 PDF →
ISO 14001

Environmental Management

Environmental management system. Measurement and reduction of services environmental impact.

Validity · 2024-2027 PDF →
ISO 45001

Occupational Health & Safety

Occupational health and safety management system. Protection of operational personnel.

Validity · 2024-2027 PDF →

Regulatory alignments

NIS2
EU Directive transposition

Posture aligned to requirements for essential and important entities. Support for the 24/72h national CSIRT notification process.

DORA
EU Reg. 2022/2554

Operational on Digital Operational Resilience Act requirements for the European financial sector.

GDPR
EU Reg. 2016/679

Full alignment. Structured DPA (Art. 28) for every customer. DPIA on request.

ENISA · CSIRT
European guidelines

Aligned with ENISA guidelines on minimum baseline for cybersecurity and national cyber perimeter.

02 Data residency

All operational data (SOC telemetry, customer logs, contact data) is kept in data centres located in the European Union, primarily in Italy and other EU member states. No critical data is replicated outside the EU. The personnel accessing the data is fully European and operates from the Milan headquarters.

SOC telemetry / customer logs
🇮🇹 Italy
Backup & cold storage
🇪🇺 European Union
Email · collaboration suite
🇪🇺 European Union · EU Data Boundary
Public site · CDN
🇪🇺 European Union · EU edge
SOC operations
🇮🇹 Milan · European personnel
Applicable jurisdiction
🇮🇹 Italy · European law (GDPR)

Controlled exceptions: web font loading (no PII) and — only with explicit user consent — analytics and marketing pixels. Any extra-EU transfers occur exclusively under Standard Contractual Clauses (SCC 2021/914) and, where applicable, EU-US Data Privacy Framework.

Specific vendors under NDA. The detailed list of infrastructure providers, regions used and DPAs is available in the sub-processor list below and — in signed version — on request to info@fortgale.com.

03 Sub-processor list

List of external data processors (GDPR Art. 28) used to deliver services. Updated to 5 May 2026. We notify customers with active DPAs at least 30 days before any substantial change.

Provider Purpose Region Contract
Microsoft Ireland Operations Ltd Email, Teams, SharePoint, Bookings EU (Ireland · NL) Microsoft DPA · Online Services Terms
EU IaaS provider (under NDA) Web hosting, staging and production environments EU DPA + SCC 2021/914
Google Ireland Limited Google Fonts (typography CDN) EU + US Google DPA + SCC + EU-US DPF
LinkedIn Ireland Unlimited Insight Tag (consent only) EU + US LinkedIn DPA + SCC
Plausible Insights OÜ Privacy-first analytics (no PII) EU Plausible DPA EU-only

04 Public SLA

The values shown are service objectives applicable on active retainer contracts and measured over the last 12 months. Customer-specific contractual SLAs are defined in the relevant Service Agreement.

30 min
IR response (incident in progress)
24/7/365 · on active retainers
1–4 h
Confinement initial
Depending on scope and access provided
< 15 min
Detection time (MTTD)
Median on MDR customers (last 12m)
< 60 min
Response time (MTTR)
Median · critical alerts
≤ 24 h
CSIRT notification (NIS2)
Early warning · customer support
< 24 working hours
Sales / press response
Excluding weekends and holidays

05 Security posture

Technical and organisational measures adopted to protect confidentiality, integrity, availability and resilience of systems (GDPR Art. 32 · ISO 27001 Annex A controls).

Encryption

TLS 1.3 in transit · AES-256 at rest · key management on Microsoft HSM.

Access

Zero Trust · multi-factor authentication · just-in-time access · tracked break-glass.

Monitoring

Centralised logs · 24/7 SOC monitoring · 12+ months retention.

Backup

Redundant backups · periodic DR test.

Vulnerability mgmt

Continuous scanning · annual pentest · differentiated patching SLA (P1 < 48h).

Personnel

Permanent NDA · semi-annual cyber training.

06 Responsible disclosure

If you have found a vulnerability in our systems (website, infrastructure, product), we ask you to follow our coordinated disclosure procedure.

01

Contact us immediately

Email info@fortgale.com with description, technical PoC and your contacts. PGP encryption available on request.

02

We respond within 48 hours

Receipt confirmation, initial classification, ETA for fix. We triage every report, even if it doesn't fall within our perimeter.

03

Coordinated disclosure

We agree on the disclosure window (typically 90 days after the fix). We acknowledge you publicly in the hall of thanks if you wish.

What not to do: unauthorised access attempts to third-party data, DDoS, social engineering of personnel, data destruction. We operate in safe harbor with researchers acting in good faith.

07 Downloadable documents

Documentation available publicly or on request (some after NDA signature).

ISO/IEC 27001
ISMS Certificate 2024-2027
PDF · 198 KB
View →
ISO 9001
Quality Management Certificate 2024-2027
PDF · 203 KB
View →
ISO 14001
Environmental Certificate 2024-2027
PDF · 202 KB
View →
ISO 45001
H&S Certificate 2024-2027
PDF · 200 KB
View →
DPA template
Data Processing Agreement (GDPR Art. 28)
On request · NDA signature
Request →
Mutual NDA
Bilateral 24-month NDA template
On request
Request →
Security questionnaire
Pre-filled answers (CAIQ-style · 180 entries)
On request · NDA signature
Request →
Sub-processor list
Signed PDF version · last update May 2026
PDF · placeholder
Request →

08 Security contacts

For technical security questions, vendor onboarding, due diligence:

Security · vulnerability
info@fortgale.com

Responsible disclosure, vendor security questionnaire, SOC2/CAIQ.

Privacy · DPO
privacy@fortgale.com

Exercise of GDPR rights, DPA, DPIA, sub-processor change requests.

Compliance · audit
info@fortgale.com

Customer audit requests, evidence, access to reports.

Need anything else?

Concrete answers to a due diligence.

Send your security questionnaire: we fill it in, return it, sign the NDA. No detours.

Délai de réponse : < 1 jour ouvré.

Ce site est protégé par reCAPTCHA et la Politique de confidentialité et les Conditions d'utilisation de Google s'appliquent.