Security we take seriously.
A defense-in-depth posture aligned with the standards your procurement team cares about.
Security posture, in one paragraph
FOCTTA applies database-enforced tenant isolation, encrypted credentials at rest, a tamper-evident audit trail, and role-based access control across the platform. Our architecture follows defense-in-depth principles, is reviewed regularly by independent security professionals, and has been designed for DPDPA Section 8(5), GDPR Article 32, and equivalent safeguard obligations under CCPA. We do not publish implementation internals on this page - the detailed security architecture, threat model, and control documentation are shared under NDA with your procurement and security reviewers after an initial demo.
What this means for your program
Defense in depth
Security is layered end to end - authentication, authorisation, database-enforced tenant isolation, encrypted storage, and tamper-evident audit. Failure of any one layer does not expose customer data.
Cryptographic proof
Every mutation across the platform produces a tamper-evident Compliance Receipt. Defensible in front of the Data Protection Board, the ICO, the CNIL, or any other regulator that asks to see your work.
Encrypted end to end
Data is encrypted in transit via TLS and at rest across databases, object storage, backups, and credential vaults. Secret material is rotated on a regular cadence.
Independent review
Regular third-party penetration tests, external code reviews on security-sensitive paths, and a published security contact for responsible disclosure.
Least privilege by default
Role-based access across the product and the platform itself. Engineering access to production is audited, time-bound, and break-glass only.
Incident readiness
Incident response procedures aligned with the 72-hour regulatory notification window. Customer notification commitments are written into our Data Processing Addendum.
Standards we align with
Certifications shown as "readiness" have a documented readiness assessment in progress - we do not claim what we have not earned.
Eight built-in roles + custom roles
Eight pre-configured roles cover the standard privacy program. When your org needs more - a Marketing Reviewer who can only see consent dashboards, a Vendor Manager scoped to processor data - your DPO defines a custom role with a visual permission picker. Every teammate gets exactly the access their responsibilities require. Nothing more.
End-to-end access across modules, settings, and audit trail. Can approve responses and sign certificates.
Creates and manages consent records, grievances, and risks. Cannot change tenant settings or sign final responses.
Reviews and approves DSAR responses, assessment approvals, erasure jobs, and legal-hold decisions.
Manages integrations, users, and access. No access to compliance data content itself.
View-only across data, audit trail, and analytics. Can export audit logs for regulator review.
Marketing, product, or engineering teammates who file ROPA entries and DPIA requests for their own initiatives. Drafts only - DPO approves.
Owns a specific application or dataset. Attests inventory accuracy, handles DSAR sub-tasks for their asset, acknowledges vendor DPA renewals.
Operational maintainer of app inventory, vendor register, training records, and DPIA checklists. Maintains catalogs; does NOT approve DSARs or sign DPIAs.
Detailed security documentation, on request
Our detailed security architecture, threat model, penetration test summaries, and control documentation are shared under NDA. Request a security review after your initial demo and our team will walk your procurement and security reviewers through the specifics. Enterprise customers receive a full security questionnaire response (CAIQ-aligned) and DPA on request.
Ready to talk security?
Start with a demo. Follow up with a security review under NDA.
Book a Demo