Trust & Security

Geostrategic Security and Privacy Practices

This page is not a trust badge. Fortius Intel handles data for organisations using its geopolitical risk intelligence platform, and every practice described below is checkable, not asserted. The platform is built around the principles of GDPR, India's DPDPA, the NIST AI Risk Management Framework, and the OWASP Top 10 for LLM applications, voluntarily, ahead of any customer mandate to do so. None of that replaces the legal terms in our privacy policy and terms of service; it is the explanation of what those documents describe in practice.

Data handling for geostrategic risk intelligence

Fortius stores three categories of data: account information (email, authentication state, tier), company context submitted to generate risk outputs (sector, geography, operational footprint), and platform usage records needed for reliability and support. All of it is held in our Supabase-hosted Postgres database and object storage; none of it is sold to third parties.

Retention is governed by business need, active contractual obligations, and applicable legal requirements. When an account is closed, associated data is deleted or anonymised, subject to any retention period required by law or an active contractual record.

Fortius is building its security program toward formal third-party certification, not relying on internal policy alone: ISO/IEC 27001:2022 and SOC 2 Type II for information security management, ISO/IEC 27701:2025 for privacy information management, ISO/IEC 27017 and 27018 for cloud security and cloud personal-data protection, Cyber Essentials and Cyber Essentials Plus, and a CSA STAR registry listing. These are roadmap targets, not certifications currently held; we will update this page when each is completed.

AI and automation disclosure for geostrategic risk intelligence

Brief generation is automated end to end: live source retrieval, severity and confidence scoring, and consequence-chain construction are all performed by the system without a human in the loop at generation time, on every tier including the free Recon tier.

A separate, additional human-review layer sits on top of that automated output on paid tiers. On Scan, an analyst reviews and verifies output monthly. On Command, that review runs weekly, plus a quarterly board brief. Recon-tier output is not analyst-reviewed; it is the same automated pipeline, unverified.

Access controls behind geostrategic risk intelligence

Customer-facing tables (scans, saved briefs, company profiles) are governed by row-level security policies that restrict every row to its owning user; one customer's data is not queryable by another customer's session, including through the client SDK. Role and tier fields on the users table are read-only to the user and writable only by the service role, so a user cannot self-elevate their own access.

Administrative operations, cron jobs, and tier changes run under a separate service-role credential that bypasses row-level security by design; that credential is never exposed to the browser and is used only in server-side code.

Account-level identifiers, email address, authentication tokens, and session state, never reach the AI model. The prompt sent to generate a brief contains the company context you submitted (sector, geography, operational footprint), because that is what makes a brief specific to your company; it does not contain who you are as an account holder.

Contact for geostrategic risk intelligence data requests

Data subject requests, deletion requests, and enterprise security questionnaires (data processing addenda, subprocessor lists) are handled at privacy@fortiusintel.com.