From the CPO’s Desk: Built for Trust
At Freyr, every product choice we make is grounded in purpose and trust. As the Chief Product Officer, my focus is on building solutions that are intuitive, reliable, and deeply aligned with the needs of regulatory teams.
Every feature, every module, and every update is a step forward in our shared journey towards smarter, safer, and more compliant operations.
-Kranthi R, CPO
From the CTO's Desk: Secure by Design
At Freyr, trust isn't just a promise, it's the foundation of everything we build. As the Chief Technology Officer, I ensure that every line of code and product decision reflects our commitment to security, reliability, and transparency.
We've built freya fusion to be powerful yet resilient, knowing our customers rely on us for sensitive, business-critical work. Security and privacy are not checkboxes for us, they guide how we build, innovate, and evolve.
Thank you for placing your trust in us. We're here to protect it, every step of the way.
-Praveen Bezawada, CTO
From the CISO’s Desk: Protecting What Matters
At Freyr, protecting your data is at the core of what we do. As the Chief Information Security Officer, I see security not just as a system, but as a culture that runs through our entire organization.
Our mission is simple, keep your information safe, your privacy intact, and our practices transparent. We continuously assess risks, strengthen safeguards, and align with the highest standards to stay ahead of evolving threats.
Trust isn't given once - it's earned every day. And that's exactly what we strive for.
-Venkat Luckyreddy, CISO
At Freyr, trust is more than a promise - it is the foundation of everything we do. Our customers, employees, and partners rely on us to protect what matters most - their data. The Freyr Trust Portal is your gateway to understanding how we safeguard sensitive information and uphold the highest standards of security, privacy, and compliance.
Our Commitment to Security
We recognize that the confidentiality, integrity, and availability of this data is critical to your success - and ours. That’s why we’ve built a comprehensive security program designed to meet and exceed industry standards.
To Support This Commitment, Our Security Program Includes:
- ISO 9001:2015 - Quality Management Systems
- ISO/IEC 27001:2022 - Information Security Management, Cybersecurity and Privacy Protection
- GDPR 2016/679
- SOC2 Type II - System and Organization Controls
Always Improving, Always Accountable
Security is not a one-time effort - it’s a continuous journey. We regularly assess our systems, update our protocols, and train our teams to stay ahead of emerging threats. Your trust drives our commitment to excellence.
Need More Information?
If you’re a customer, partner, or auditor seeking specific documentation or have questions about our security practices, please contact our Trust & Security team.
Technology and Security Whitepaper
Infrastructure Security
Our access control policy defines requirements for three functions: adding new users (identity verification and access assignment), modifying users (updating information and access rights), and removing users (revoking access and deactivating credentials).
We complete termination checklists to ensure that access is revoked for departing employees within defined SLAs.
We ensure system access is restricted to authorized users only.
We restrict privileged access to databases and other production workloads to authorized users with a legitimate business need.
We use cloud-native intrusion detection and endpoint detection and response (EDR) solutions to provide continuous monitoring of our network and early detection of potential security breaches, including protection for end-user devices.
We use infrastructure monitoring tools to track systems and performance and generate alerts when predefined thresholds are met.
We use a web application firewall (WAF) to protect internet-facing applications and mitigate industry-recognized attacks and downtime.
Our network and system hardening standards are based on industry best practices and are reviewed at least annually.
We require users to authenticate to systems and applications using unique usernames and passwords; access to secret keys is strictly limited to authorized personnel.
We segregate Production and lower environments (Dev, QA, SQA, Pre-Prod) and enforce unique authentication via role-based access control.
We review firewall rule sets at least annually.
We use firewalls configured to prevent unauthorized access.
We restrict privileged access to encryption keys to authorized users with a business need.
We restrict privileged access to the operating system to authorized users with a business need.
We restrict privileged access to the production network to authorized users with a business need.
We restrict privileged access to the firewall to authorized users with a business need.
We enforce multi-factor authentication (MFA) on all user accounts.
We ensure that infrastructure supporting the service is regularly patched as part of routine maintenance and in response to identified vulnerabilities, helping to harden servers against security threats.
Organizational Security
We ensure that electronic media containing confidential information is purged or destroyed in accordance with industry best practices, with certificates of destruction maintained as evidence.
At Freyr, we maintain a formal inventory of production system assets.
We encrypt portable and removable media devices when used.
We deploy anti-malware and EDR solutions on systems commonly susceptible to malicious attacks, and we configure them to update routinely, log activity, and be installed on all relevant systems.
We perform background checks on new employees.
We require contractor agreements to include a code of conduct or a reference to the company code of conduct.
We require employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary action in accordance with our disciplinary policy.
We require contractors to sign a confidentiality agreement at the time of engagement.
We require employees to sign a confidentiality agreement during onboarding.
We require passwords for in-scope system components to be configured according to company policy.
At Freyr, we have a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
We require visitors to sign in, wear a visitor badge, and be escorted by an authorized employee when accessing the office or secure areas.
We require employees to complete security awareness training as part of onboarding and at least annually thereafter.
Product Security
We safeguard both customer and internal data by adhering to industry best practices.
We conduct control self-assessments at least annually to ensure that controls are in place and functioning effectively. Corrective actions are implemented based on assessment findings and, where SLAs apply, completed within the agreed timeframe.
Our penetration testing is performed at least annually. A remediation plan is developed, and changes are implemented to address vulnerabilities in accordance with SLAs.
We ensure the application supports multi-factor authentication (MFA), requiring additional factors beyond usernames and passwords.
The application supports Single Sign-On (SSO) integration using Security Assertion Markup Language (SAML).
We use secure data transmission protocols, such as TLS 1.2 or higher, to encrypt data transmitted over public networks. We also ensure encryption at rest is enabled to protect stored information.
Our formal policies define requirements for key IT and Engineering functions, including Vulnerability Management, System Monitoring, and a robust Software Development Life Cycle (SDLC) process.
Internal Security
We ensure Business Continuity and Disaster Recovery Plans are in place, including defined communication strategies to maintain information security continuity in the event of key personnel unavailability.
At Freyr, we have an established and documented Business Continuity and Disaster Recovery (BC/DR) plan, which is tested at least annually to ensure its effectiveness.
At Freyr, we have a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
We ensure that all changes to software and infrastructure components are authorized, formally documented, tested, reviewed, and approved prior to deployment in the production environment.
We restrict the ability to migrate changes to the production environment to authorized personnel only.
We follow a formal Systems Development Life Cycle (SDLC) methodology that governs the development, acquisition, implementation, maintenance, and management of changes—including emergency changes—to information systems and related technology requirements.
SOC 2 reports are maintained and reviewed for cloud vendors that provide infrastructure hosting, ensuring compliance with security, availability, and confidentiality requirements.
At Freyr, we have established a formal whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.
Our Board of Directors meets at least annually, with formal meeting minutes maintained to document discussions and decisions.
Our data backup policy outlines the requirements for the backup and recovery of customer data to ensure data integrity and availability.
We notify customers of critical system changes that may impact their processing, ensuring transparency and allowing for necessary adjustments.
At Freyr, we maintain an organizational chart that describes the organizational structure and reporting lines.
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned through job descriptions and/or documented in the Roles and Responsibilities policy.
Our information security policies and procedures are documented and reviewed at least annually.
At Freyr, we maintain an external-facing support system that enables users to report system failures, incidents, concerns, and other complaints to the appropriate personnel or teams.
We communicate system changes to authorized internal users.
We conduct periodic access reviews for in-scope system components to ensure access is appropriately restricted, with required changes tracked through to completion.
We ensure that user access to in-scope system components is granted based on job role and function, or via a documented access request with manager approval prior to provisioning.
At Freyr, we have security and privacy incident response policies and procedures that are documented and communicated to authorized users.
Security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company’s security incident response policy and procedures.
At Freyr, we have established processes for granting, modifying, and revoking physical access to company data centers, based on authorization from designated control owners.
Our security commitments are communicated to customers as needed, ensuring transparency and alignment with customer expectations.
At Freyr, we provide customers with guidelines and technical support resources to assist with system operations.
At Freyr, we provide clear and concise descriptions of our products and services to inform and engage both internal stakeholders and external audiences.
We conduct annual risk assessments to identify and evaluate threats—including environmental, regulatory, technological, and fraud-related risks—that may impact our service commitments and objectives.
At Freyr, we maintain a documented risk management program that outlines the identification of potential threats, risk significance ratings, and corresponding mitigation strategies.
At Freyr, we maintain written agreements with vendors and third parties that include confidentiality and privacy commitments specific to each entity.
At Freyr, we have a vendor management program that includes defined security and privacy requirements and mandates annual reviews of critical third-party vendors.
We perform host-based vulnerability scans in real time using cloud-native services, with critical and high-severity vulnerabilities tracked through to remediation.
Data and Privacy
At Freyr, we have formal procedures in place to ensure the secure retention and disposal of both company and customer data.
We securely purge customer data containing confidential information from the application environment upon service termination, following defined processes and industry best practices.