Frequently Asked Questions and Updates

Does FTI Technology adhere to industry standards?

Yes, FTI Technology continuously monitors existing and emerging security and privacy standards. We incorporate and adhere to leading information security frameworks such as ISO 27001, ISO 27017, ISO 27018, SOC2, PCI, HIPAA and other internationally recognized industry standards. Additionally, we are certified under the EU-U.S. DPF. Our compliance white paper also provide additional detail and may be downloaded here.

Can FTI Technology clients limit the locations or countries in which their data is stored?

Yes, depending on the services and scope of the engagement, clients often can choose where their data resides amongst the numerous geographies around the world in which FTI Technology provides services.

I am a current FTI Technology hosting client and need to complete a Privacy Impact Assessment (PIA) as required under the GDPR; where can I find the relevant information?

In addition to the information provided on this site, including our data processing maps for the U.S. and the EEA, our privacy white paper contains additional information to assist our clients in fulfilling their obligations to complete impact assessments. Additional information may also be found at: https://www.fticonsulting.com/about/privacy-policy. As always, if you require additional information, reach out to your FTI Technology project team.

Where can I find FTI Technology’s Technical and Organization Measures (aka “TOMs”) for my services?

Our TOMs may vary based on services provided and are subject to the terms of your specific agreement and DPA however, FTI Technology’s standard TOMs for our U.S. hosting environments can be found here.

Does FTI Technology publish a transparency report?

We do not at this time, but as of December 2024, FTI Technology has never received a request for access to any personal data or personal identifiable information (PII) from a government authority in the U.S.

I am a current client of FTI technology and need to contact your technical support teams or I have a question about this site. Where can I find this information?

Visit https://www.ftitechnology.com/support.

How does FTI Technology address Sub-Processor data protection obligations under applicable data protection legislation when receiving services from Sub-Processors?

FTI Technology maintains a list of approved Sub-Processors, including its own affiliates, which is published here, consistent with best practices for processors engaging Sub-Processors, and third-party risk management standards. Prior to implementing a new Sub-Processor, after the entity has successfully passed the required evaluation and impact assessments, FTI Technology will provide clients with 30 days’ advance notice through the TRUST site’s notification mechanism (to which clients should subscribe), giving clients an opportunity to object to the use of the Sub-Processor. FTI Technology further ensures its Sub-Processors enter into contracts reflecting data protection requirements, including materially similar or likewise protective terms (such as the standard contractual clauses where required).

How does FTI Technology respond to a personal data breach affecting client personal data?

Subject to the additional terms of the DPA (or other agreed to terms) and taking into account the nature and scope of the services provided, in the event of a confirmed personal data breach impacting client personal data, FTI Technology will: a) Notify the client without undue delay and within the timeframes as set out by applicable law, b) to the extent known, provide all such information and cooperation as client may reasonably require in order for the client to fulfil its personal data breach reporting obligations under data protection laws, c) begin an investigation promptly, taking any measures needed to remedy or mitigate the personal data breach.