top of page

Privacy Policy

FortaRisks Privacy Policy

Last updated: September 1, 2025
Privacy email: privacy@fortarisks.com

This Privacy Policy explains how FortaRisks collects, uses, discloses, and protects personal information in connection with the FortaRisks B2B SaaS platform (the “Platform”) and related services (collectively, the “Services”). This policy primarily concerns business contact and account data used to deliver and secure the Services.

1) What we do

FortaRisks is a B2B SaaS cybersecurity risk management platform. We process professional and account-related information to create and manage accounts, secure access, deliver the Services, bill customers, provide support, and improve our products. We aim to minimize personal information and prefer de-identification where feasible.

2) Information we collect

We collect information in the following categories:

Business identity & contact information

  • Name, job title, business email, business phone number, organization.

Account & access information

  • Authentication and access data (e.g., SSO/MFA usage), roles/permissions, access logs and audit trails.

Usage and technical information

  • Actions performed in the Platform, device and browser metadata, IP address, time zone, and other technical identifiers necessary for security and operations.

Customer-provided content

  • Content uploaded, entered, or generated by you through the Services, including items relating to risk and compliance (we encourage customers to avoid uploading unnecessary personal information).

We do not intentionally collect sensitive personal information unless you choose to provide it and it is required for the Services.

3) Why we collect it (purposes)

We use personal information to:

  • Provide and operate the Services (authentication, core features, customer support).

  • Secure the Services (detect abuse, monitoring, audit logging, compliance and security reviews).

  • Manage billing and customer relationships (contracts, invoicing, payments, account administration).

  • Measure and improve the product (analytics in aggregated and/or de-identified form where possible).

  • Communicate with you (service notices, operational messages, and B2B marketing where permitted and/or with consent).

4) Legal bases and consent

Where applicable, we rely on one or more of the following bases for processing:

  • Performance of a contract (to deliver the Services you requested).

  • Legitimate interests where permitted (e.g., security, fraud prevention, service quality, and business operations).

  • Consent when required (e.g., certain cookies and marketing communications).

You may withdraw your consent at any time for non-essential processing (this will not affect processing already performed).

5) Hosting and data residency

By default, Customer data is hosted in Canada. At onboarding, you may choose hosting in the United States or the European Union, where available. Your tenant is anchored in the selected region for primary data, backups, and operational logs.

Where transfers outside Québec/Canada are necessary (for example, limited support activities), we apply appropriate contractual and security safeguards to protect the information.

6) Sharing with service providers (sub-processors)

We use vendors to help us operate the Services (e.g., cloud hosting, email delivery, monitoring, and support). These providers process information only on our behalf and are bound by contractual obligations regarding confidentiality, security, and restricted use.

We do not sell personal information.

7) Cookies and similar technologies

We use cookies (and similar technologies) for:

  • Essential cookies: required for functionality and security.

  • Analytics cookies: to understand usage and improve the Services (preferably aggregated/de-identified).

  • B2B marketing cookies: only with opt-in where required.

You can manage your preferences through our cookie preference center.

8) AI features and automated decision-making

The Platform includes assisted AI features (such as recommendations and prioritization). Key factors are designed to be explainable, actions with meaningful impact require human review, and relevant activity is logged. We do not use AI for marketing profiling without consent.

9) Security

We apply administrative, technical, and organizational measures designed to protect information, including:

  • Encryption in transit and at rest

  • SSO/MFA support

  • Granular role-based access control (RBAC)

  • Audit logging and monitoring

  • Encrypted backups

  • Vulnerability management and an incident response process

If a security incident creates a “serious risk” as defined under applicable law, we will notify the relevant authorities (e.g., Québec’s CAI, Canada’s OPC) and affected individuals, where required.

10) Retention

We retain personal information only for as long as necessary to fulfill the purposes described above, after which we securely delete or de-identify it. Specific retention periods (e.g., logs, billing records) are documented and may be further detailed in your DPA.

11) Your rights (Canada / Québec)

Subject to applicable law, you may request to:

  • access and obtain a copy of your personal information

  • correct inaccurate information

  • withdraw consent for non-essential processing

  • request deletion where legally permitted

To exercise your rights, contact us at privacy@fortarisks.com. We will verify identity and respond within the timelines required by law.

12) Updates to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when the latest version took effect. If we make material changes, we will provide notice (e.g., email and/or in-app banner). Continued use after notice may constitute acceptance where permitted by law.

13) Contact

For privacy inquiries or requests: privacy@fortarisks.com

bottom of page