Skip to main content
FORTISEU
Legal

Legal & Compliance

Transparency is the foundation of trust. Review our legal documents, data processing agreements, and compliance commitments.

Last Updated: February 15, 2026Privacy Policy

Summary

This Privacy Policy explains how FortisEU processes personal data when you visit our website, create an account, or use our services. It is written for transparency, not marketing.

1. Data We Collect

1.1 Account and Contact Data

  • Name, email address, and company details you provide
  • Role/title and contact preferences (optional)
  • Messages you submit via forms (e.g., Contact, Trust Center requests)

1.2 Service Data (Customer Content)

When you use FortisEU, you may upload or enter compliance-related content (evidence, policies, questionnaires, vendor information). This content is processed to provide the service to your organization.

1.3 Usage and Diagnostics

We may collect limited technical and usage data to operate, secure, and improve the service (for example: error reports, performance metrics, and feature usage events).

2. How We Use Data

  • Provide and operate the service
  • Authenticate users and prevent abuse
  • Respond to support, procurement, and security review requests
  • Send service communications and updates you request
  • Improve reliability and product experience

3. Legal Bases (GDPR)

Depending on context, we process personal data under one or more GDPR legal bases, including contract performance, legitimate interests (security and service operations), and consent (for optional marketing communications).

4. Sharing and Subprocessors

We may share personal data with service providers (subprocessors) strictly as needed to operate FortisEU (for example: email delivery). We do not sell personal data. For procurement reviews, we can provide an up-to-date subprocessor list through the Trust Center request process.

5. International Transfers

Data processing locations and transfer mechanisms depend on the selected deployment and subprocessors used. If transfers outside the EU/EEA occur, we use appropriate safeguards where required.

6. Retention

We retain personal data for as long as necessary to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Retention details can vary by plan and deployment.

7. Your Rights

You may have rights under GDPR, including access, rectification, deletion, restriction, portability, and objection. You may also lodge a complaint with a supervisory authority.

8. Artificial Intelligence

FortisEU uses EU-sovereign AI (Mistral AI, based in France) to power compliance analysis features. This section describes how AI is used, what data it processes, and your rights.

8.1 AI Systems

We operate 11 AI systems classified under the EU AI Act (Regulation (EU) 2024/1689). Two are classified as high-risk (Access Review AI Recommendations and Peer Group Analysis), five as limited-risk, and four as minimal-risk. Full details are available on our AI System Cards page.

8.2 Data Inputs

AI systems process: compliance framework knowledge, tenant entitlement metadata, user queries, risk scores, and evidence metadata. AI systems do not process the content of uploaded evidence files.

8.3 How Outputs Are Used

All AI outputs are advisory only and require human verification. For high-risk systems (access review recommendations), a human reviewer must explicitly approve or reject each decision. AI recommendations are non-binding.

8.4 Training Data Governance

Your data is not used for AI model training. Mistral AI processes prompts under a data processing agreement that explicitly prohibits using customer data for training. Embedding vectors are stored in self-hosted infrastructure on Scaleway (France).

8.5 Your AI Rights

You may: (a) opt out of AI processing at any time via account settings; (b) request an explanation of any AI-assisted decision; (c) appeal any AI-assisted access decision via the human review mechanism (resolved within 14 days); (d) withdraw AI consent at any time without affecting core platform functionality.

8.6 EU-Sovereign Processing

All AI processing occurs in France (Mistral AI, Paris). No AI data is transferred to non-EU jurisdictions. Vector embeddings are stored in self-hosted Supabase on Scaleway, France.

8.7 High-Risk AI Disclosure

Access Review AI Recommendations and Peer Group Analysis are classified as high-risk under EU AI Act Art. 6(2) + Annex III Category 4(a) (employment, workers management). These systems include mandatory human oversight, audit logging, bias monitoring, and an appeal mechanism. Fundamental Rights Impact Assessments are maintained for both systems.

8.8 Retention

AI conversation data is retained per your tenant data retention policy. AI recommendation caches are purged 90 days after access review completion. AI accuracy audit samples are retained for 24 months.

9. Contact

For privacy inquiries, contact privacy@fortis.eu. For security reports, contact security@fortis.eu.