Security You Can Trust
Independently pen-tested. Published DPA. Named DPO at dpo@fidify.se. Customer-side encryption. SOC 2 and ISO 27001 audits in progress. Completed DDQs and engagement letters available on request.
Our security posture
Zero-knowledge encryption
Documents are encrypted on your device before they reach our servers. Your keys are unlocked only by your personal passcode or biometric. A service provider can read a document only when you actively share it with them. Never by default, and never by us.
Sovereign data residency
Your data lives in the jurisdiction your regulator requires. EU customers are hosted in the EU today. Customers in the Middle East, Africa, or other regions can be hosted in a matching region on request. Data never leaves the agreed jurisdiction.
Organization isolation
Each organization runs in its own dedicated environment. One organization cannot see, reach, or affect another.
GDPR-aligned
Published DPA at /dpa. Named Data Protection Officer reachable at dpo@fidify.se. Sub-processor list available at /subprocessors and kept current.
Certifications & audits
We will not display certifications we have not earned. Audits already completed and audits in progress are listed below with the same honesty. Reports, certificates, and engagement letters are available on request.
Independent penetration test
Most recent test Q1 2026, third-party assessor
ISO/IEC 27001:2022
Audit in progress, targeting certification 2026
SOC 2
Type I in progress, targeting H2 2026
Controls overview
A plain-language summary of the controls in place. For full technical detail (algorithms, retention windows, patching SLAs, and more) see our Technical & Organisational Measures document.
Encryption
Industry-standard encryption at rest and in transit, plus client-side encryption for sensitive uploads.
Access control
Least-privilege access with named, MFA-protected personal accounts. No shared credentials. Production access is audited.
Vulnerability management
Automated dependency and code scanning on every build. Regular third-party penetration testing. Defined patching cadence by severity.
Incident response
Documented incident management procedure with centralised logging held within your jurisdiction and a defined breach-notification process aligned to GDPR Article 33.
Backups & recovery
Regular automated backups with tested disaster recovery. Environments can be rebuilt in a new region if needed.
Change management
Mandatory automated and manual testing before release. Separated development, test, and production environments.
AI model choice
Bring your own LLM provider (OpenAI, Anthropic, Mistral, or your own enterprise contract), or use Fidify's default. Lets your AI governance committee keep its existing posture, and lets you align with EU AI Act and DORA model-risk requirements.
Data handling
Where data lives
EU customers are hosted in the EU today. Customers in the Middle East, Africa, or other regions can be hosted in a matching region on request. Once agreed, data never leaves that jurisdiction. Customer remains the data controller; Fidify is the processor.
Sub-processors
We publish the current sub-processor list and notify customers of changes in line with the DPA. All sub-processors meet ISO 27001 or equivalent.
Retention & deletion
Customers control retention. On termination, customer data is exported on request and deleted from active systems within the contracted window.
Personal data in logs
We avoid writing identifying personal data to application logs.
Documents
The artefacts procurement and legal teams usually need.
Security contact & responsible disclosure
Found a vulnerability? Need a DDQ filled, an engagement letter, or a pen-test summary? Reach the security team directly.
security@fidify.se