GDPR Compliance

The General Data Protection Regulation (GDPR) is a privacy regulation enacted by the European Union to strengthen the protection of personal data. It applies to any organization that processes the data of EU/EEA residents, regardless of where the organization is located.

FortWatch.ai is committed to GDPR compliance. This page explains how we handle your data in accordance with GDPR principles and outlines your rights as a data subject.

Our Role Under GDPR

FortWatch.ai Technologies LLC acts as a data controller for the personal data we collect from our users (name, email, billing information) and as a data processor for any data processed on behalf of our customers through the platform.

It is important to note that FortWatch.ai is a security infrastructure tool. We scan your servers, domains, and cloud accounts for vulnerabilities — we do not process, store, or access the personal data of your end users. The data we handle relates to your infrastructure configuration and security posture, not personal data of individuals.

Lawful Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Services you have subscribed to, including account management, scanning, and delivering results.
• Legitimate interest (Art. 6(1)(f)) — Processing necessary for our legitimate business interests, such as improving the platform, preventing fraud, and ensuring security, where those interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)) — Processing necessary to comply with legal obligations, such as tax and accounting requirements.
• Consent (Art. 6(1)(a)) — Where you have given consent for specific processing activities, such as receiving marketing communications. You may withdraw consent at any time.

Personal Data We Collect

We collect a minimal amount of personal data necessary to provide our Services:

• Account information — Name, email address, company name
• Billing information — Payment method details (processed by Stripe, not stored by us)
• Usage data — IP address, browser type, pages visited, platform interactions
• Communications — Support tickets, emails, and feedback you send us

We do not collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.) as defined under GDPR Article 9.

Your Rights as a Data Subject

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — You can request a copy of all personal data we hold about you. We will provide this within 30 days.
• Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to erasure (Art. 17) — You can request deletion of your personal data. We will comply unless we have a legal obligation to retain certain data (e.g., billing records for tax purposes).
• Right to restriction (Art. 18) — You can request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data.
• Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to object (Art. 21) — You can object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@fortwatch.ai. We will respond within 30 days as required by GDPR. If we need additional time due to the complexity of the request, we will notify you within the initial 30-day period.

Data Retention

We retain personal data only as long as necessary for the purposes outlined above:

• Active accounts — Data retained for the duration of the account
• Deleted accounts — Personal data deleted within 30 days of account closure, except where legal retention requirements apply
• Billing records — Retained for 7 years as required by tax regulations
• Server logs — Automatically purged after 90 days

International Data Transfers

FortWatch.ai is based in the United States. If you are located in the EU/EEA, your personal data may be transferred to and processed in the United States. We ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Technical and organizational security measures to protect data in transit and at rest
• Data minimization — we only transfer what is necessary to provide the Services

Third-Party Sub-Processors

We use a limited number of third-party services that may process personal data on our behalf:

• Stripe — Payment processing (US-based, Privacy Shield certified)
• Email service provider — Transactional email delivery (scan alerts, account notifications)
• Cloud infrastructure — Platform hosting with encryption at rest and in transit

All sub-processors are contractually obligated to handle data in accordance with GDPR requirements. We regularly review our sub-processors to ensure compliance.

Data Security Measures

We implement technical and organizational measures appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls with role-based permissions and multi-factor authentication
• Regular security assessments and vulnerability testing of our own systems
• Employee access limited to a need-to-know basis
• Incident response procedures with notification capabilities within 72 hours as required by GDPR Article 33

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33)
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34)
• Document the breach, its effects, and remedial actions taken

Cookies

We use essential cookies for platform functionality and optional analytics cookies to understand website usage. You can manage cookie preferences through your browser settings. For more details, see our Privacy Policy.

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first at privacy@fortwatch.ai so we can address your concern directly.

Contact Us

For any GDPR-related inquiries, data subject requests, or concerns:

• Email: privacy@fortwatch.ai
• General support: support@fortwatch.ai
• Website: fortwatch.ai/contact