Security & Trust
Security posture for national-scale workloads.
Enterprise and government workloads cannot tolerate compromise. Below is the short version of how we secure, operate, and account for the systems we deliver. Detailed control documentation, audit reports, and DPIAs are available under NDA on request.
Compliance frameworks
ISO 27001
Controls alignedInformation-security management system controls aligned to ISO/IEC 27001 framework, covering risk management, access control, cryptography, and incident response.
SOC 2 Type II
Controls alignedSecurity, availability, and confidentiality controls aligned to AICPA Trust Services Criteria across our delivery, hosting, and development environments.
GDPR
OperationalData handling and architecture designed to satisfy GDPR obligations across data-subject rights, lawful bases, transfers, and processor responsibilities.
PDPA
OperationalAligned with personal data protection acts across APAC jurisdictions for clients operating regionally — including data-residency and consent provisions.
Architecture & encryption
Encryption end-to-end
TLS 1.2+ for all data in transit. AES-256 for data at rest in customer-deployed environments. Mutual TLS between integration layers where the threat model requires.
Identity & access (Zero Trust)
Role-based access with least-privilege defaults. Multi-factor authentication on all administrative access. Just-in-time elevation for privileged operations.
Continuity & resilience
Active-active redundant infrastructure with sub-minute failover. Recovery objectives validated under live operational load — RPO under 1 minute, RTO under 15 minutes.
Audit & accountability
Immutable audit logs with data-lineage tracking. Compliance reports on demand for regulatory review. Tamper-evident logging for forensic investigation.
Service-level commitments
The numbers below reflect production engagements under live operational load — not synthetic benchmarks.
- Production uptime≥ 99.95%
- Severity 1 — first response≤ 15 minutes
- Severity 2 — first response≤ 1 hour
- Severity 3 — first response≤ 4 hours
- Recovery Point Objective (RPO)< 1 minute
- Recovery Time Objective (RTO)< 15 minutes
- Encryption in transitTLS 1.2+
- Encryption at restAES-256
Escalation paths
Three tiers, defined in advance, mapped to the response timers above. Every engagement begins with these contacts named — there is no anonymous queue.
Tier 1
Engagement lead
First point of contact for the engaged customer. Triages every incident, manages the active ticket, and owns SLA timers from notification through resolution.
Tier 2
Senior practice lead
Engaged automatically on Severity 1 and 2 incidents, on missed Tier-1 SLA, or on customer request. Senior engineer with deep ownership of the affected service pillar.
Tier 3
CTO & executive sponsor
Engaged on declared Severity 1 incidents and on any incident exceeding 4 hours without resolution. Direct line to executive decision-making and cross-team mobilisation.
Data sovereignty
Where engagements involve hosted operations, data residency is fixed at contract signing. We do not migrate customer data across jurisdictions without written authorisation, and we maintain region-specific sub-processor lists on request.
Vulnerability disclosure
Suspected vulnerabilities can be reported to support@fusecorp.global. We acknowledge reports within two business days and coordinate responsible-disclosure timelines with the reporter.
Under NDA
Detailed audit reports, control evidence, and DPIAs are available to qualified prospects.
Request a security briefing to receive the documentation pack — including certificate references, sub-processor list, encryption design, and incident history.
Request a security briefing