1Introduction
About FortiVox
FortiVox is a cloud-delivered cybersecurity platform that protects websites and applications with adaptive AI, a managed Web Application Firewall (WAF), DDoS mitigation, edge IP filtering, and global threat intelligence. Customer traffic is routed through our edge nodes where it is inspected, classified and either delivered to the origin or blocked.
Purpose of this Policy
This policy describes the personal, account, technical and security-event data that the platform collects to provide the Service, how that data flows through our systems, who it may be shared with, and how long it is retained. It is written to be practical and specific to FortiVox — not a generic template.
User Agreement
By creating an account, connecting a website, or otherwise using the FortiVox platform, you acknowledge that you have read and accepted this Privacy Policy. If you do not agree with any part of this policy, you must stop using the Service.
2Information We Collect
We collect only the data needed to operate, secure and bill the platform. The categories below describe what is stored in our database tables.
Account & Company Information
- Account information — username, hashed password, role and account status.
- Company information — company name, billing entity and country.
- Contact details — primary contact name and phone number provided during registration.
- Email addresses — used for sign-in, security notifications, billing and support correspondence.
Protected Asset Information
- Website information — every domain added to FortiVox, including its plan, status and ownership.
- DNS configuration information — the A records, edge-IP verification results and DNS-check history we record while validating that traffic flows through our edge.
- Threat and security logs — events generated by the WAF, AI engine and rate-limiting layer for each connected website.
- Support ticket information — the messages, attachments and metadata you submit through the support system.
3Security and Threat Data
To detect and stop attacks, the platform inspects traffic destined for protected websites and records security-relevant events. This data is the operational heart of the Service.
- Attack events — every request blocked or flagged by the WAF or AI engine is recorded with timestamp, severity and the rule that triggered it.
- Threat intelligence records — IP reputation, country of origin, threat category and observed attack patterns aggregated from our edge network.
- Blocked IP information — IP addresses placed on per-site or global block lists, with the reason and the admin or automated rule that added them.
- WAF events — request payloads, headers and matched signatures associated with WAF rule hits, retained for forensic review.
- Security monitoring records — audit-style entries showing how each connected site is being defended over time.
4Phishing Simulation & Security Awareness Testing
FortiVox provides phishing simulation and security awareness testing services to help organizations identify vulnerabilities and improve employee security awareness. These services are conducted with strict ethical guidelines and security controls.
Purpose and Authorization
Phishing simulations are designed exclusively for:
- Security awareness training — educating employees about phishing threats and social engineering tactics.
- Vulnerability assessment — identifying organizational weaknesses in email security and user behavior.
- Compliance requirements — meeting regulatory standards such as ISO 27001, PDPL, and cybersecurity frameworks.
- Security posture improvement — closing security gaps and strengthening organizational defenses against real phishing attacks.
Domain Ownership Verification
Before any phishing simulation campaign can be launched, we require strict verification of domain ownership through DNS verification:
- DNS TXT record verification — clients must add a unique verification token to their domain's DNS settings to prove ownership.
- Authorization confirmation — only authorized administrators who control the domain DNS can request phishing simulations.
- No unauthorized testing — campaigns cannot target domains that have not been verified and explicitly authorized.
Data Collected During Simulations
During phishing simulations, we collect the following information for training and reporting purposes only:
- Email interaction data — whether emails were opened, links were clicked, or credentials were submitted (test credentials only).
- Employee information — name, email address, department, and position as provided by the client in CSV format.
- Technical metadata — IP addresses, browser information, and timestamps of interactions for tracking purposes.
- Behavioral patterns — aggregated statistics on click rates, submission rates, and response times.
Security and Ethical Safeguards
We implement strict security measures to ensure phishing simulations are safe and ethical:
- No actual passwords or sensitive data are ever stored — all credential captures are immediately discarded and marked as "[REDACTED]".
- All simulations display educational security awareness messages immediately after submission to inform employees.
- Simulation data is encrypted in transit and at rest, accessible only by authorized client administrators.
- Landing pages are clearly hosted on verified domains and do not impersonate real services maliciously.
- All tracking is performed via unique, non-guessable tokens that cannot be exploited by third parties.
Data Retention for Simulations
Phishing simulation data is retained as follows:
- Campaign results — stored for 12 months to allow clients to track improvement over time and generate historical reports.
- Employee interaction records — retained for the duration of the client relationship and purged within 30 days of account closure.
- Anonymized statistics — may be retained indefinitely for research and service improvement, with all personally identifiable information removed.
Client Control and Transparency
Clients have full control over phishing simulation campaigns:
- Campaigns can only be initiated by verified client administrators with proper authorization.
- Clients select templates, target lists, and scheduling for all simulations.
- All results and reports are accessible exclusively to the client organization.
- Clients can request deletion of simulation data at any time through the platform or support channels.
- We never share simulation results with third parties without explicit written consent.
5Visitor and Technical Information
When a visitor reaches a website protected by FortiVox, the platform receives the same technical information any web server would receive in order to deliver and secure the response.
- IP addresses — used for security analysis, geographic filtering, rate limiting and abuse mitigation.
- Browser information — the User-Agent string and related request headers.
- Device information — broad device class derived from the User-Agent (desktop, mobile, bot).
- Operating system — broad OS family derived from the User-Agent.
- Cookies and session data — strictly-necessary cookies used to keep account holders signed in and to protect forms against CSRF attacks. We do not use third-party advertising cookies.
6How We Use Information
The data described above is used exclusively for the following purposes:
- Account management — authenticating users, managing roles and keeping account records up to date.
- Security monitoring — observing the health and security posture of every connected website.
- Threat detection — running rules and AI models to identify malicious traffic in real time.
- Service improvement — improving WAF rules, AI models and detection accuracy using aggregated, anonymised event data.
- Customer support — responding to support tickets and investigating reported incidents.
- Billing and invoicing — generating invoices, recording payment proofs and activating subscriptions.
- Service notifications — sending operational, security and billing notifications to the email on file.
7Data Storage and Protection
- Encryption practices — all traffic to the FortiVox dashboard and APIs is delivered over TLS. Passwords are stored as one-way bcrypt hashes; they are never stored in clear text.
- Access controls — administrative access is restricted by role, protected with CSRF tokens, and every privileged action is written to a tamper-evident audit log.
- Security monitoring — our own infrastructure is monitored using the same threat-intelligence and audit-logging tools we operate for customers.
- Data retention policies — each category of data has a defined retention window (see Data Retention).
9Billing and Payment Policy
- Subscription services — paid plans are billed per the cycle shown at sign-up (monthly, yearly or one-time). The price displayed at checkout is the price you pay.
- Manual bank-transfer payments — FortiVox currently accepts payment by bank transfer. The bank details required to complete a payment are shown on the invoice page.
- Invoice generation — an invoice is generated automatically when a paid plan is selected. Each invoice records the plan, billing cycle, amount, currency and (if a promotion is active) the original price and discount amount at the moment of issue.
- Payment verification process — once you upload a proof of payment, the invoice enters Awaiting Review. Our team verifies the transfer, approves or rejects the proof, and on approval the subscription is activated and the corresponding service period is recorded.
10Refund Policy
- Refund requests must be submitted through the Support Tickets system inside your account — refund requests sent through other channels will not be processed.
- Each request is reviewed individually based on the recorded service usage, the invoice history and the surrounding audit-log entries.
- FortiVox reserves the right to approve or reject a request based on service usage, indicators of fraud, or violations of this policy or the user agreement.
- Approved refunds are processed after review and credited using the same payment method that was used to pay the original invoice.
11Support and Disputes
- All billing and service disputes must be opened through Support Tickets.
- Support tickets are the official communication channel between you and FortiVox — they create a permanent, timestamped record that both parties can refer back to.
- Conversations conducted outside the ticket system (such as informal chat) are not considered binding for the resolution of a dispute.
12User Responsibilities
- Accurate account information — provide and maintain truthful registration details so we can deliver service and verify ownership of protected websites.
- Lawful use of the platform — only protect websites and applications that you own or are explicitly authorised to defend.
- Protection of login credentials — keep your password confidential, do not share accounts, and notify support immediately if you suspect unauthorised access.
- Compliance with applicable laws — use the Service in a way that complies with the laws of your jurisdiction and the jurisdiction of the websites you protect.
13Prohibited Activities
The following activities are strictly forbidden and may result in immediate suspension, termination, and notification of the appropriate authorities:
- Illegal activities — using FortiVox to host, distribute or shield content prohibited by law.
- Abuse of the platform — generating artificial load, abusing free-tier resources, or otherwise undermining the Service for other customers.
- Attempting to bypass security controls — circumventing authentication, rate-limits, WAF rules or audit logging on the FortiVox platform itself.
- Attacks against FortiVox infrastructure — including but not limited to scanning, exploiting or denial-of-service attacks against our edge nodes, dashboards or APIs.
14Data Retention
- Retention of logs — threat logs, WAF events and audit-log entries are retained for the period configured in the platform's log retention setting and are then rotated or archived. Aggregated, anonymised statistics may be kept indefinitely.
- Retention of invoices — invoices and the payment proofs attached to them are retained for as long as required by applicable accounting and tax law.
- Retention of support records — support tickets and their attachments are retained for the lifetime of the account and a reasonable period afterwards, to allow for follow-up and dispute resolution.
- Account deletion — you can request deletion of your account through a support ticket. We will remove personal and account data, except for records we are required to keep by law (for example, accounting records tied to issued invoices), which will be archived securely and accessed only when legally necessary.
15Changes to this Policy
FortiVox may update this Privacy Policy from time to time to reflect changes to the platform, our practices, or applicable law. The "Last Updated" date at the top of this page always reflects the latest revision.
For material changes — those that meaningfully affect your rights, the categories of data we collect, or how that data is used — we will notify account holders through the dashboard and by email to the address on file before the change takes effect.
16Contact Information
For privacy questions, refund requests and any other matter covered by this policy, please reach out through the channels below. Support tickets remain the recommended way to contact us for anything that needs a written record.