Security & Trust

How we host, encrypt, and disclose.

Bastion Security is published by Fusengine Sàrl (Vevey, Switzerland). This page summarises our current security posture and the compliance roadmap we are committed to publicly. Last reviewed on 24 May 2026.

Where we host

Customer data stays in Switzerland whenever technically possible. Cross-border transfers rely on the EU SCCs and the EU-US Data Privacy Framework.

Encryption & secret handling

• TLS 1.3 on every public endpoint, HSTS preload, OCSP stapling
• License keys hashed with SHA-256 server-side, no plaintext storage
• Backups encrypted at rest (AES-256), daily snapshots, 30-day retention
• Secrets vaulted in environment-scoped stores, never in source code

Authentication & access

• MFA required for every Fusengine staff account with production access
• SSH: public-key only, password and root login disabled on production
• Customer portal sessions: short-lived tokens, secure + httpOnly cookies
• Principle of least privilege enforced for every internal role

Vulnerability disclosure

We follow coordinated disclosure. Please give us reasonable time to investigate and ship a fix before public release.