Fortitude Media takes data protection and security seriously. We handle client data under UK GDPR and apply controls proportionate to the marketing data we process. This page is maintained by Fortitude Media to answer the common security and privacy questions reviewers ask about Sentinel, Forge and the wider Fortitude service.
Data protection and GDPR
In most engagements Fortitude Media acts as a data processor on behalf of the client, who remains the controller of any personal data they share with us. We comply with the UK General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).
- Our full Privacy Policy sets out what we collect, why, and your rights.
- A Data Processing Addendum is available and is signed as part of every client engagement involving personal data.
- Fortitude Media Limited is registered with the UK Information Commissioner's Office, registration reference ZC136854.
Sub processors
We use a small number of reputable providers to deliver the service. Clients receive prior notice of any material change.
| Provider | Purpose | Region | Safeguard |
|---|---|---|---|
| Supabase | Application database, authentication and file storage | EU / US | UK IDTA and SCCs where applicable |
| Vercel | Hosting, web analytics and monitoring for the Sentinel application | US and global edge | UK IDTA and SCCs, EU US Data Privacy Framework |
| Cloudflare | Content delivery and object storage (R2) | Global | UK IDTA and SCCs |
| Lovable | Hosting for the public marketing website | EU / US | UK IDTA and SCCs |
| Paddle | Payments and Merchant of Record | UK / EU | UK GDPR, intra UK and EEA |
| Stripe | Card payments, and Merchant of Record where selected | EU / US | UK IDTA and SCCs |
| GoCardless | Direct debit collection | UK / EU | UK GDPR, intra UK and EEA |
| Resend | Transactional and report email delivery | US / EU | UK IDTA and SCCs |
| Google Workspace | Business email, document collaboration and file storage | EU / US | UK IDTA and SCCs, EU US Data Privacy Framework |
| OpenAI, Anthropic, Google, Microsoft, Perplexity | AI engines queried to generate reports, using brand and category prompts rather than personal data | US and global | UK IDTA and SCCs, contractual no-training terms where available |
Not every sub-processor applies to every engagement. Payment providers, for example, apply only to paid Sentinel subscriptions.
Security measures
Proportionate, current and actually in place.
- Least privilege access. Access to client data is restricted to the people who need it for the engagement.
- Multi factor authentication. MFA is enforced on all accounts that touch client data.
- Encryption in transit. All client data is exchanged over TLS.
- Reputable vendor infrastructure. We build on established providers (Google, Cloudflare, our hosting partners) rather than self-hosting sensitive workloads.
- Data minimisation. We collect and retain only what we need to deliver the service.
Confidentiality
Mutual non-disclosure agreements are in place with clients on request, and as standard for Forge engagements. All Fortitude personnel and contractors are under written confidentiality obligations that survive the end of their engagement with us.
Data handling, retention and breach response
- Minimum necessary. We only process the data we need to deliver the service the client asked for.
- Return or deletion on exit. On request, or at the end of the engagement, we return or securely delete client personal data, subject to legal retention obligations such as accounting records.
- Breach notification. If we become aware of a personal data breach affecting a client, we notify that client without undue delay and in any event within 72 hours of becoming aware, with the information they need to meet their own regulatory obligations.
International transfers
We prefer to keep data in the UK and EEA. Where personal data is transferred outside the UK or EEA, we rely on the safeguards required by UK GDPR, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and supplementary measures where appropriate.
Insurance
Fortitude Media Limited holds the following insurance cover. Certificates are available on request.
- Professional Indemnity: £1,000,000.
- Cyber: £500,000.
- Public Liability: £1,000,000.
Certifications and roadmap
Fortitude Media is not currently certified to ISO 27001 or SOC 2. We are a specialist supplier processing low-risk marketing data, and we would rather give a straight answer here than imply otherwise.
Our internal controls are aligned to the principles of ISO 27001 and the UK National Cyber Security Centre's Cyber Essentials scheme, covering access control, secure configuration, patching, malware protection and user awareness. We will pursue Cyber Essentials certification first, with ISO 27001 considered as our enterprise client base grows and the cost is proportionate.
Contact and documents
For any security, privacy or due diligence question, email security@fortitudemedia.ai and a member of the team will reply.
The following documents are available on request: Privacy Policy (also published at /privacy), Data Processing Addendum template, GDPR Compliance Statement, and insurance certificates.