From the CTO's Desk: Secure by Design
At Freya Fusion, trust isn’t just a promise, it’s the foundation of everything we build. As the Chief Technology Officer, I ensure that every line of code and product decision reflects our commitment to security, reliability, and transparency.
We’ve built Freya Fusion to be powerful yet resilient, knowing our customers rely on us for sensitive, business-critical work. Security and privacy are not checkboxes for us, they guide how we build, innovate, and evolve.
Thank you for placing your trust in us. We’re here to protect it, every step of the way.
-Praveen Bezawada, CTO
From the CISO’s Desk: Protecting What Matters
At Freya Fusion, protecting your data is at the core of what we do. As the Chief Information Security Officer, I see security not just as a system, but as a culture that runs through our entire organization.
Our mission is simple, keep your information safe, your privacy intact, and our practices transparent. We continuously assess risks, strengthen safeguards, and align with the highest standards to stay ahead of evolving threats.
Trust isn’t given once - it’s earned every day. And that’s exactly what we strive for.
-Venkat Luckyreddy, CISO
At Freyr, trust is more than a promise - it is the foundation of everything we do. Our customers, employees, and partners rely on us to protect what matters most-their data. The Freyr Trust Portal is your gateway to understanding how we safeguard sensitive information and uphold the highest standards of security, privacy, and compliance.
Our Commitment to Security
We recognize that the confidentiality, integrity, and availability of this data are critical to your success-and ours. That’s why we’ve built a comprehensive security program designed to meet and exceed industry standards.
To support this commitment, Our Security Program includes:
- ISO 9001:2015 - Quality Management Systems
- ISO/IEC 27001:2022 - Information Security Management, Cybersecurity and Privacy Protection
- GDPR 2016/679
- SOC2 Type II - System and Organization Controls
Always Improving, Always Accountable
Security is not a one-time effort-it’s a continuous journey. We regularly assess our systems, update our protocols, and train our teams to stay ahead of emerging threats. Your trust drives our commitment to excellence.
Need More Information?
If you’re a customer, partner, or auditor seeking specific documentation or have questions about our security practices, please contact our Trust & Security team.
Technology and Security Whitepaper
Infrastructure security
The company's access control policy defines requirements for all three functions: adding new users (identity verification and access assignment), modifying users (updating information and access rights), and removing users (revoking access and deactivating credentials).
The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
The company ensures system access is restricted to authorized users only.
The company restricts privileged access to databases and other production workloads to authorized users with a business need.
The company uses cloud native solutions for intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches and EDR solution for enduser devices.
The company utilizes an infrastructure monitoring tool to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
The company uses a WAF (Web Application Firewall) to protect the internet facing applications and prevent application down from a industry known attacks.
The company's network and system hardening standards are maintained based on industry best practices, and reviewed at least annually.
The company requires users to authenticate to systems and applications using unique usernames and passwords, while access to secret keys is strictly restricted to authorized personnel.
The company ensures Production and lower environments (Dev, QA, SQA, PreProd) are segregated, with unique authentication enforced through role-based access control.
The company reviews its firewall rule-sets at least annually.
The company uses firewalls and configures them to prevent unauthorized access.
The company restricts privileged access to encryption keys to authorized users with a business need.
The company restricts privileged access to the operating system to authorized users with a business need.
The company restricts privileged access to the production network to authorized users with a business need.
The company restricts privileged access to the firewall to authorized users with a business need.
The company ensures all the user accounts are enforced and configured with MFA.
The company ensures that infrastructure supporting the service is regularly patched as part of routine maintenance and in response to identified vulnerabilities, helping to harden servers against security threats
Organizational security
The company ensures that electronic media containing confidential information is purged or destroyed in accordance with industry best practices, with certificates of destruction maintained as evidence.
The company maintains a formal inventory of production system assets.
The company encrypts portable and removable media devices when used.
The company deploys anti-malware and EDR solutions for commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
The company performs background checks on new employees.
The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.
The company requires contractors to sign a confidentiality agreement at the time of engagement.
The company requires employees to sign a confidentiality agreement during onboarding.
The company requires passwords for in-scope system components to be configured according to the company's policy.
The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the office or secure areas.
The company requires employees to complete security awareness training as part of employee onboarding and at least annually thereafter.
Product security
The company safeguards both customer and internal data by adhering to standard industry best practices.
The company conducts control self-assessments at least annually to ensure that controls are in place and functioning effectively. Corrective actions are implemented based on assessment findings, and if a Service Level Agreement (SLA) is in place for a finding, the corrective action is completed within the agreed timeframe.
The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.
The company ensures that the application supports Multi-Factor Authentication (MFA), with One-Time Passcodes (OTP) delivered via email or generated through app-based authenticators such as Microsoft Authenticator, Google Authenticator, or any other application supporting Time-based One-Time Passwords (TOTP)
The application supports Single Sign-On (SSO) integration using Security Assertion Markup Language (SAML).
The company uses secure data transmission protocols, including SSL and TLS 1.2 or higher, to encrypt data transmitted over public networks, and ensures data encryption at rest is enabled to protect stored information.
The company's formal policies define requirements for key IT and Engineering functions, including Vulnerability Management, System Monitoring, and a robust Software Development Life Cycle (SDLC) process.
Internal security
The company ensures Business Continuity and Disaster Recovery Plans are in place, including defined communication strategies to ensure information security continuity in the event of key personnel unavailability.
The company has an established and documented Business Continuity and Disaster Recovery (BC/DR) plan, which is tested at least annually to ensure its effectiveness
The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
The company ensures that all changes to software and infrastructure components are authorized, formally documented, tested, reviewed, and approved prior to deployment in the production environment.
The company restricts the ability to migrate changes to the production environment to authorized personnel only.
The company follows a formal Systems Development Life Cycle (SDLC) methodology that governs the development, acquisition, implementation, maintenance, and management of changes-including emergency changes-to information systems and related technology requirements.
SOC 2 reports are maintained and reviewed for cloud vendors that provide infrastructure hosting, ensuring compliance with security, availability, and confidentiality requirements.
The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.
The company's Board of Directors meets at least annually, with formal meeting minutes maintained to document discussions and decisions.
The company's data backup policy outlines the requirements for the backup and recovery of customer data to ensure data integrity and availability.
The company notifies customers of critical system changes that may impact their processing, ensuring transparency and allowing for necessary adjustments.
The company maintains an organizational chart that describes the organizational structure and reporting lines.
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned through job descriptions and/or documented in the Roles and Responsibilities policy.
The company's information security policies and procedures are documented and reviewed at least annually.
The company maintains an external-facing support system that enables users to report system failures, incidents, concerns, and other complaints to the appropriate personnel or teams.
The company communicates system changes to authorized internal users.
The company conducts access reviews at least quarterly for in-scope system components to ensure access is appropriately restricted, with required changes tracked through to completion.
The company ensures that user access to in-scope system components is granted based on job role and function, or requires a documented access request form with manager approval prior to provisioning.
The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.
The company has established processes for granting, modifying, and revoking physical access to company data centers, based on authorization from designated control owners.
The company's security commitments are communicated to customers as needed, ensuring transparency and alignment with customer expectations.
The company provides customers with guidelines and technical support resources to assist with system operations.The company provides customers with guidelines and technical support resources to assist with system operations.
The company provides clear and concise descriptions of its products and services to inform and engage both internal stakeholders and external audiences.
The company conducts annual risk assessments to identify and evaluate threats-including environmental, regulatory, technological, and fraud-related risks-that may impact its service commitments and objectives.
The company maintains a documented risk management program that outlines the identification of potential threats, risk significance ratings, and corresponding mitigation strategies.
The company maintains written agreements with vendors and third parties that include confidentiality and privacy commitments specific to each entity.
The company has a vendor management program that includes defined security and privacy requirements and mandates annual reviews of critical third-party vendors.
The company performs Host-based vulnerability scans in real time using cloud-native services, with critical and high-severity vulnerabilities tracked through to remediation.
Data and privacy
The company has formal procedures in place to ensure the secure retention and disposal of both company and customer data.
The company securely purges customer data containing confidential information from the application environment upon service termination, following defined processes and industry best practices.