Security is a serious concern at Fortamus. We are reinventing the infrastructure that powers life insurance valuation and we want to do it right. Our entire team works diligently to protect our systems, infrastructure and service offerings, utilizing both internally developed systems and partnering with world-class service providers. We ask that you help us by considering the security of your actions within our system and responsibly disclosing any vulnerabilities you identify.
Steps for Protecting Your Interactions with Fortamus
Extra Login Security
We offer 2-factor authentication tokens at login, a technology that helps prevent illegal access to your accounts, even if your username and password have been compromised.
Your chosen token app will generate a random code that you'll be asked to enter each time you log in to your Fortamus account. This enhanced security feature is designed to protect certain transactions in your account, even if an unauthorized individual has stolen your password. We do not utilize SMS-based, 2-factor authentication due to its inherent lack of security.
Username and Password Requirements
To help prevent unauthorized access, Fortamus requires that all users utilize a unique username and password when creating an account. Please consider that strong passwords are long and employ unique combination of numbers, upper and lower case letters, and special characters. We maintain a list of breached username/email and password combinations and may reject combinations that have been compromised.
At Fortamus, the convenience and safety of your accounts are of utmost importance. To help stop unauthorized access to your accounts, Fortamus users must have continued interactions in order to remain logged into our system. All users must re-authenticate every 8 hours regardless of activity level. To help lessen the chance of unauthorized access to your account, we'll automatically log you off after observing a period of inactivity.
Your account activity is hidden from prying eyes as it travels over the Internet to our servers thanks to our strong,128-bit, two-way data encryption. This is the strongest commercially available encryption technology. We only utilize servers providing secure connections. Please ensure the "https:" at the beginning of the web address when accessing our platform. You’ll see this even when interacting with our non-user based pages.
You can engage with our customer service representatives using secure, encrypted messages once authenticated. Never send us information regarding your account(s) unless it's through this secure channel. For anyone who does not have a Fortamus account but would like to engage with us, please utilize our PGP key or utilize our webform at www.fortamus.com/contact.
Fortamus will never ask for confidential data such as your account numbers, username and passwords via email. Nor will Fortamus ask for this information when we reach out to you via phone. When we do email you, we digitally sign all emails so that you can verify that the message’s integrity and authenticity.
We provide notifications for certain security transactions. This may include SMS text, mobile push notifications, email and recorded voice messages. If you’d like to receive these messages, please ensure your contact information is up to date on your account(s) and user profile.
What We Do at Fortamus to Protect Our Clients
We always verify your identity before granting access to your accounts. We also mandate that any delegated authority be explicitly acknowledged. Their access is revocable at any time.
We're constantly on the lookout for suspicious irregularities across our network and infrastructure. We will alert clients whenever we detect problems that may affect them. We are not only looking for suspicious activity but also inadvertent behavior.
Firewalls are protective barriers that defend Fortamus networks and computer systems from hackers and cyber attackers trying to gain access into our data centers. We use some of the strongest firewalls available in the industry to guard the information housed in our servers.
We monitor transactions, web sessions and account access for suspicious and unusual behavior to ensure that they are authorized, legitimate and genuine. If we detect abnormal activity, we will notify you immediately.
Security at Our Branches and Offices
Our security measures extend far beyond our infrastructure. Fortamus employees are a key part of our security posture. We vigilantly monitor all work areas in order to prevent theft or scrutiny of documents containing sensitive information. (Our employees love the clean desk rule!)
Restricted Access to Data
We limit access to systems containing customer data to only those employees who need it to conduct business. External contractors are only allowed access to customer data under supervision of Fortamus staff. Please contact firstname.lastname@example.org to receive a report of the data we retain and access logs. We continually monitor access and actively remove access permissions unless currently needed.
We ensure that our employees know and adhere to best security practices available. We require periodic training on our security policies for all personnel. (Yes, even HR has to take the same training). Personnel who work directly with customers receive extra training on topics such as anti-money laundering, identify theft and senior fraud. We sponsor our employees to take security training and receive certification from outside organizations to ensure they have the most up-to-date knowledge.
Reporting Possible Vulnerabilities
If you believe you have discovered a security issue or vulnerability, please send an email to email@example.com with information and detailed instructions on how to reproduce the issue. Please utilize our PGP key or other forms of secured communication in the disclosure. Emails sent to firstname.lastname@example.org will be read and acknowledged with a non-automated response within three working days.
We promote the ethical disclosure of security bugs. For this reason, we kindly ask that security professionals act in good faith. Please follow the following principles:
- Share all available details, including proof-of-concept or any other artifact.
- Give us a reasonable time to fix or mitigate the issue before any public disclosures.
- Do not access or corrupt user’s data/corporate resources with the intent of demonstrating a security bug.
- Do not engage in activities that may degrade the performance of our services. (If you believe you have identified a vulnerability, we are happy to provide sandbox copies of our service for testing).
We currently do not have any active, paid Bug Bounty programs but based on scale and specifics of vulnerability, Fortamus may request consulting agreements to ensure our understanding and mitigation of the vulnerabilities.
- Data Controller & Privacy Officer:
- Data Protection Officer:
This policy is effective as of 31 January 2019.