Commitment and scope

Fortura Labs Pty Ltd ("Fortura", "we", "our", or "us") is committed to maintaining a high standard of information security across our website, platforms, and associated services. This includes the Fortura website, the ForturaOne platform, and any products and services delivered within the ForturaOne umbrella. ForturaOne serves as the central access point through which users interact with and access the products they have purchased, and as such, it is designed and operated with security embedded at every layer. As a cybersecurity company operating under the principle of Security by Intelligence, we prioritise the confidentiality, integrity, and availability of information across all systems and interactions.

Frameworks, standards, and infrastructure

Our security posture is guided by established frameworks and standards, including ISO/IEC 27001, the NIST Cybersecurity Framework (CSF), the Australian Cyber Security Centre's Essential Eight, the Secure Controls Framework (SCF), and the AWS Well-Architected Framework (Security Pillar). These frameworks inform how we design controls, manage risk, and continuously improve our security capabilities. Our infrastructure is primarily hosted on Amazon Web Services (AWS), leveraging enterprise-grade cloud security controls such as identity and access management, logging and monitoring, threat detection, and configuration management. Environments are logically segregated across development, testing, and production to reduce risk and maintain operational integrity.

Data protection and access controls

We implement strong data protection measures to safeguard information both in transit and at rest, including the use of industry-standard encryption protocols such as TLS 1.2 or higher and encryption mechanisms aligned with AES-256 standards. Access to systems and data is governed by strict identity and access management practices, including role-based access control, least privilege principles, and multi-factor authentication for privileged users. Access rights are regularly reviewed and adjusted in line with operational requirements, ensuring that only authorised personnel can interact with sensitive systems and data across the Fortura website, ForturaOne platform, and all products delivered within the ForturaOne ecosystem.

Secure development and operations

Security is embedded into our application development lifecycle through secure design principles, code reviews, and the use of automated tools to identify vulnerabilities and manage dependencies. We actively protect against common attack vectors, including those identified in the OWASP Top 10, and continuously monitor our environment using centralised logging, real-time alerting, and threat intelligence integration. This enables us to detect, investigate, and respond to anomalous or malicious activity in a timely manner across both our website and all ForturaOne-enabled products.

Vulnerability management and incident response

Fortura maintains a proactive vulnerability management program, which includes regular assessments, patch management processes, and periodic security testing. Where appropriate, independent penetration testing may be conducted to validate the effectiveness of our controls. In the event of a security incident, we follow structured incident response procedures designed to contain threats, minimise impact, restore services, and identify root causes. Where required by applicable laws or contractual obligations, affected parties will be notified in accordance with regulatory expectations.

Third parties, related policies, and resilience

We recognise that security extends beyond our own systems and includes the broader ecosystem in which we operate. As such, we apply due diligence and risk-based assessments when engaging third-party service providers, ensuring that appropriate security requirements are established and maintained. This approach aligns with Fortura's broader focus on third-party risk intelligence and interconnected trust models, as reflected in our platform vision. Our handling of personal information is further governed by our Privacy Notice, Cookies Policy, and Terms of Use, ensuring compliance with applicable data protection regulations.

To support resilience and continuity, we implement backup strategies, high-availability infrastructure design, and disaster recovery planning. These measures are periodically reviewed to ensure that services can be restored effectively in the event of disruption. Internally, we promote a strong security culture through defined governance structures, clear roles and responsibilities, and ongoing awareness initiatives. Security is treated as a continuous process, evolving in response to emerging threats, technological changes, and business needs.

Responsible disclosure

Fortura encourages responsible disclosure of security vulnerabilities and invites individuals to report any potential issues to security@fortura.io. We request that such disclosures are made in good faith, without exploitation, and allow us reasonable time to investigate and remediate. While we implement robust and industry-aligned security controls, no system can be guaranteed to be completely secure, and our services are designed to reduce risk rather than eliminate it entirely, consistent with our broader legal terms and disclaimers.

Updates and contact

This Security Policy may be updated periodically to reflect changes in our operations, regulatory requirements, or the evolving threat landscape. The most current version will always be available on our website. For any security-related enquiries, Fortura can be contacted at security@fortura.io.