Compliance overview
Ferro Software is the publisher of Ferro Backup System (FBS), licensed exclusively to business entities and institutions.
This page is the entry point for documents governing product lifecycle, security, quality and personal data processing. The documents are consolidated on a single page, with persistent identifiers (anchors) corresponding to each section.
Delivery model: the core product is delivered on-premises — installed in the customer's infrastructure. Ferro Software has no access to customer data or infrastructure.
Documents
Product Lifecycle Policy → Security, vulnerabilities (CVD), SDLC
Security Policy → Quality, technical and organisational measures
Quality Policy → GDPR — Information Notice (Article 13)
GDPR Notice → Full privacy policy
Privacy Policy → Sales and services
Terms and Conditions (B2B) →
Compliance mapping to standards and regulations
| Requirement | Addressed by | Status |
|---|---|---|
| GDPR Article 13 (information notice) | GDPR Notice | Public document |
| GDPR Article 28 (processor / DPA) | Privacy Policy 5.7 + Terms § 12 | "Separate controller" clause |
| GDPR Article 32 (technical and organisational measures) | Quality Policy + Security Policy | Public document |
| GDPR Articles 33–34 (breach notification) | Security Policy, Incidents | Internal procedure |
| NIS2 Art. 21(2)(d) (supply chain) | Security Policy, Supply chain | Public document |
| NIS2 Art. 21(2)(e) (lifecycle) | Security Policy, SDLC | Public document |
| ISO/IEC 29147 (vulnerability disclosure) | Security Policy, CVD | Aligned with standard |
| ISO/IEC 30111 (vulnerability handling) | Security Policy, vulnerability handling | Aligned with standard |
| SBOM (CycloneDX / SPDX) | Security Policy 2.9 | On request, under NDA |
| Coordinated Vulnerability Disclosure | security@ferro.com.pl + .well-known/security.txt | Active |
| Business Continuity Plan (BCP) | Security Policy, Continuity | Internal document |
| EV Code Signing | Entire product | Certum certificate, Microsoft countersigned |
| File system filter driver attestation | Microsoft Allocated Altitudes #281600 | Registered |
Audit keyword map — quick lookup
| Question | Answer in… |
|---|---|
| GDPR Article 13 | GDPR Notice |
| GDPR Article 28 / DPA / Data Processing Agreement | Privacy Policy 5.7 + Terms § 12 cl. 29–30 |
| GDPR Article 32 | Quality Policy cl. 11 + Security Policy 2.7 |
| NIS2 Article 21 | 2.2, 2.7, 2.10 |
| Coordinated Vulnerability Disclosure / ISO/IEC 29147 | Security Policy 2.2 |
| Vulnerability Handling / ISO/IEC 30111 | Security Policy 2.2, 2.5 |
| Secure SDLC | Security Policy 2.7 |
| SBOM | Security Policy 2.9 |
| Supply Chain Security | Security Policy 2.10 |
| Incident Response | Security Policy 2.11 |
| Business Continuity Plan / BCP / DR | Security Policy 2.12 |
| Code Signing | Security Policy 2.8 |
| Encryption at Rest / In Transit | Security Policy 2.8 |
| Product Lifecycle Policy | Lifecycle Policy |
| End of Life / End of Support | Lifecycle Policy 1.3 |
| Diagnostic data / Support data handling | Privacy Policy 5.7 |
| Controller / Processor relationship | Privacy Policy 5.7 + Terms § 12 |
| Limitation of Liability | Terms § 6 |
| Force Majeure | Terms § 7 |
Audit contact
For compliance and security inquiries: via the contact form with the subject "Compliance", or to security@ferro.com.pl.
Product Lifecycle Policy
1.1. Scope
This document describes the rules for releasing successive versions of Ferro Backup System, the availability of updates, and the conditions under which technical support is provided. It does not limit the perpetual right to use the purchased licence.
1.2. Definitions
- Major version — the first digit of the version number (e.g. 6.x, 7.x).
- Minor version — the second digit (e.g. 7.0, 7.1).
- Patch version — the third digit (e.g. 7.0.1).
- Current major version — the most recently released major version.
- Legacy line — a major version that is no longer the current one.
- EOL — end of all updates.
1.3. Supported versions
| Line | Status | Updates | Critical patches considered |
|---|---|---|---|
| 7.x | Current | Yes | Yes |
| 6.x | Legacy | No | Case by case, until EOL |
| 5.x and older | EOL | No | No |
EOL date for 6.x: 2028-05-08.
1.4. Release cadence
Ferro Software follows a rolling release model for the current major version. Minor and patch versions are released as they are ready — we do not publish a roadmap of future releases nor commit to release dates. Full release history: history.html.
1.5. Updates within the current line
Updates within the same major version are free of charge for holders of a valid licence. Workstation updates (FBS Worker) are applied automatically after the backup server is updated.
1.6. Updates for legacy lines
For legacy lines:
- Functional updates are not released.
- Bug fixes are considered case by case, at the producer's discretion.
- Critical security vulnerability fixes are considered case by case in accordance with the Security Policy — taking into account severity, technical feasibility, and proximity to EOL.
- The recommended path for customers on legacy lines is to upgrade to the current major version.
1.7. Migration between major versions
Migration is performed manually only on the backup server — the worker components update automatically. Configuration, database and archives are preserved. Pricing for upgrades — see upgrade.html.
1.8. Changes to this policy
Ferro Software reserves the right to update this policy. Changes are published on this page with the effective date and do not retroactively affect commitments already discharged.
Security Policy
2.1. Scope
This policy describes the rules for responding to security vulnerabilities in Ferro Backup System (FBS), the channels for reporting them, and the practices Ferro Software follows when developing software with security in mind.
The practices described in this policy constitute operational targets and a good-faith declaration on the part of Ferro Software, not contractual obligations toward customers, unless additionally confirmed in a separate signed support agreement.
2.2. Coordinated Vulnerability Disclosure (CVD)
Ferro Software follows Coordinated Vulnerability Disclosure principles aligned with ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes).
2.3. Reporting vulnerabilities
Reporting channels:
- E-mail:
security@ferro.com.pl - PGP: public key
security-pgp.asc
Fingerprint:F800 4E02 0A44 5B7D A672 261B 2814 6A45 0415 A046 - Contact form: contact.html with the subject "Security disclosure"
- File /.well-known/security.txt compliant with RFC 9116
In your report, please describe the issue, indicate the affected version, provide steps to reproduce, and — optionally — a proof of concept.
2.4. CVD principles
Reporters are asked to:
- Refrain from exploiting the vulnerability outside controlled testing in their own environment.
- Not publicly disclose the vulnerability before a coordinated publication.
- Not access other users' data and not perform DoS attacks against Ferro Software systems.
Ferro Software will not pursue legal action against reporters acting in good faith and in accordance with this policy. After a fix is released — at the reporter's request — we credit them in the security advisory.
2.5. Handling reports
We acknowledge each report and assess it in line with ISO/IEC 30111. Severity is rated using CVSS v3.1. The decision to issue a fix for the current major version and — separately — for legacy lines remains at Ferro Software's discretion and depends on severity, technical feasibility, and regression-risk analysis.
Ferro Software strives to handle critical vulnerabilities as quickly as possible and treats them as a priority, but does not undertake public SLA commitments beyond those arising from separately concluded support agreements.
Customers with an active Standard or Extended support package (support.html) are subject to the contractual response times specified in the terms of that package.
2.6. Vulnerability communication
After a fix is released, we publish a security advisory containing an internal identifier, a high-level description, the CVSS score, the list of affected versions, and the fix reference. Advisories are published in news.html and history.html. The news page provides an RSS feed.
Ferro Software may, at its discretion, contact customers directly in cases of particular significance. We do not maintain a separate mailing list for vulnerability notifications.
2.7. Secure Software Development Lifecycle (SDLC)
Ferro Software follows Secure Software Development Lifecycle practices, including source code version control, review of changes affecting security-critical areas (cryptography, authorisation, parsing of external data), regression testing, and monitoring of vulnerabilities in third-party components.
2.8. Built-in security mechanisms
- Client-side archive encryption using AES (Rijndael), Serpent, and Twofish — with a 256-bit key. Data is encrypted on the workstation, not on the backup server.
- TLS connections with the backup server. Pro/Ent editions allow the use of customer-provided certificates in X.509 (PEM) format.
- File system filter driver registered in Microsoft Allocated Altitudes #281600, digitally signed and attested by Microsoft.
- EV Code Signing digital signature issued by Certum, countersigned by Microsoft Identity Verification Root CA.
- Antivirus whitelisting — every new release is submitted to antivirus vendors before publication.
2.9. SBOM (Software Bill of Materials)
Upon written request from a customer and — where required — under a non-disclosure agreement (NDA), Ferro Software may provide an SBOM in CycloneDX format for the current product version. The SBOM covers components whose disclosure does not breach confidentiality obligations toward suppliers or component licensing terms.
Send SBOM requests via contact.html with the subject "SBOM request".
2.10. Supply chain — ICT supplier perspective
Ferro Software is an independent software publisher. The development environment is physically located in the European Union, within the jurisdictions of the GDPR and the NIS2 Directive. We do not engage programming subcontractors with responsibilities in security-critical areas of the product.
The core product — Ferro Backup System — is installed in the customer's infrastructure (on-premises model). Ferro Software has no access to customer data, backup servers, or archives. In this model, the producer-side ICT supply chain is limited to the delivery of digitally signed installation files.
Optional, free of charge complementary services (cloud panel for remote backup monitoring, relay server for connections over the public network) are hosted in a certified data centre within the European Union. Use of these services is voluntary.
Third-party components used in the product are monitored for known vulnerabilities (CVEs). Critical updates of dependencies are addressed together with product updates.
2.11. Incident management and notification
Ferro Software operates a security-incident handling process. In the event of an incident with potential impact on customers — in particular a personal-data breach within the meaning of GDPR Articles 33–34 — information is conveyed to the relevant parties (customers acting as data controllers, supervisory authorities) in accordance with applicable law.
2.12. Business continuity
Ferro Software applies measures to ensure continuity of service, including redundant storage of source code, signing keys, and product documentation in locations outside the company's premises. The continuity plan is an internal document; its scope may be presented to customers as part of due diligence under NDA.
2.13. Bug bounty programmes
Ferro Software does not currently operate a public bug bounty programme with monetary rewards. Reports are processed in accordance with this policy.
Quality Policy
1. Goals and assumptions
Ferro Software is committed to delivering high-quality, reliable and secure backup and data-recovery software. The Ferro Backup System (FBS) quality policy rests on three core values: reliability, usability, and security. Our goal is to provide solutions that meet our customers' business needs through stability of operation, ease of use, and compliance with applicable laws.
2. Scope of the quality policy
The Ferro Software quality policy covers all processes related to the development, deployment, maintenance, and updating of Ferro Backup System. It applies both to product development and to technical support, testing and validation processes, and compliance with security standards.
3. Quality assurance procedures
- Testing and validation: every software release goes through a comprehensive testing process — unit, integration, system, and performance testing. The validation process is documented to ensure that the software meets functional and non-functional requirements.
- Updates and patches: Ferro Software regularly releases updates with performance improvements, new features, and bug fixes, in line with the principle of continuous improvement. The release history is publicly available, providing transparency over changes made to the product.
- Technical support: we offer tiered technical support with fast response times. From standard to extended packages, we tailor the support to customer needs, helping resolve software issues effectively.
4. Security
Customer data protection is a priority for Ferro Software. Ferro Backup System uses advanced encryption mechanisms such as AES (Rijndael), Serpent, and Twofish. All these algorithms use 256-bit keys, and encryption takes place on the user's computer — backups are protected before being transmitted to the archive server. Connections are additionally secured with SSL certificates. Pro and Ent edition users may install their own SSL certificates in PEM (X.509) format, gaining full control over connection security and a high level of transmission protection.
5. Key quality indicators
- Response time to support requests: we monitor response times to customer reports — between 2 and 48 hours depending on the chosen support level. Critical errors are prioritised so fixes can be delivered quickly.
- Number of critical defects: we track critical-defect reports and update the software accordingly to minimise the risk of recurrence.
- Customer satisfaction: regular satisfaction surveys among our customers help us understand user needs better and adapt the product to meet their expectations.
6. Roles and responsibilities
Ferro Software is responsible for overseeing the implementation of the quality policy, testing processes, and software updates, as well as for ensuring that all activities comply with the company's quality policy. Technical support is provided in accordance with the Technical Support Policy.
7. Resources
Ferro Software provides customers with support resources including a knowledge base, video tutorials, and a detailed user manual. These resources are continuously updated so that users can resolve issues independently and take advantage of the latest software features.
8. System drivers and Windows compatibility
Ferro Backup System uses its own dedicated fbsfd.sys driver, officially approved by Microsoft with the altitude #281600 in the Allocated Altitudes registry. The driver complies with Windows security and stability standards, ensuring safe and reliable operation of the software on Microsoft Windows.
9. Cooperation with antivirus vendors
Ferro Software cooperates with leading antivirus vendors, including ESET and Kaspersky. Ferro Backup System is added to those vendors' whitelists, ensuring smooth operation in environments protected by antivirus software. Every new product release is submitted to antivirus vendors before publication for verification and whitelist inclusion. As a result, users can be confident that the software runs without false positives and is recognised as safe by major security solutions.
Benefits:- Security: guarantees that the application is safe and free of false antivirus alerts.
- Compatibility: ensures smooth operation in environments with antivirus software installed.
- User trust: cooperation with reputable antivirus vendors builds trust in the software, which is essential for its broad adoption.
10. Certification and digital signature
Ferro Backup System is signed with an Extended Validation (EV) Code Signing certificate issued by Certum Extended Validation Code Signing, providing the highest level of authenticity and trust. EV Code Signing confirms the publisher's identity and protects against the installation of unauthorised software. The certificate is countersigned by Microsoft Identity Verification Root Certificate Authority, further confirming the credibility of the digital signature and increasing security.
11. Technical and organisational measures
Ferro Software applies technical and organisational measures appropriate to the risk — in line with Article 32 of the GDPR — including access control over source code and signing keys, encryption of data at rest and in transit, backups of the development infrastructure, and monitoring of access to production infrastructure.
12. Incident management
Ferro Software operates a security-incident handling process aligned with the Security Policy. Notification of customers and supervisory authorities follows applicable law (GDPR Articles 33–34).
13. Business continuity
Ferro Software applies redundancy practices for source code, signing keys, and product documentation. The continuity plan is an internal document, available to customers as part of due diligence under NDA.
14. Continuous improvement
The quality policy is reviewed periodically and after material regulatory changes or following incidents. Last update: 2026-05-08.
GDPR Information Notice (Article 13)
Pursuant to Article 13 of the GDPR we hereby inform you:
Data Controller
Paweł Kania trading as Ferro Software, ul. Klimczoka 27, 43-360 Bystra, Poland; Tax ID (NIP): 9371213077; Business Registry No. (REGON): 240296776.
Contact
Via the contact form. The role of Data Protection Officer is performed by the Controller.
Purposes and legal bases
| Purpose | Legal basis | Categories of data |
|---|---|---|
| Performance of the licence and support agreement | Article 6(1)(b) GDPR | Identification, contact, billing |
| Handling enquiries and contact | Article 6(1)(f) GDPR (legitimate interest) | Contact details, content of enquiry |
| Issuing invoices and accounting records | Article 6(1)(c) GDPR | Billing |
| Notifying licence holders of critical updates | Article 6(1)(f) GDPR (legitimate interest related to the licence relationship) | Contact e-mail address |
Recipients
Accounting service providers, payment operators, IT infrastructure providers, public administration bodies in cases required by law.
Transfers outside the EEA
Data is processed within the EEA. Should a transfer outside the EEA become necessary, appropriate safeguards will be applied (EU Standard Contractual Clauses).
Retention
- Data for the performance of the agreement — for the duration of the agreement and the limitation period for claims.
- Data on invoices — for the period required by tax law.
- Data from the contact form — up to 12 months from the last correspondence.
Rights
Access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest.
Right to lodge a complaint
To the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.
Voluntary nature of providing data
Providing data is voluntary, but necessary to enter into an agreement or to receive a response to an enquiry.
Profiling
We do not use the data for profiling or automated decision-making.
Privacy Policy
5.1. Introduction
Ferro Software processes personal data only to the extent necessary for the performance of commercial agreements with business and institutional customers and for handling contact enquiries. Ferro Software's offering is directed exclusively to business entities and institutions — we do not enter into agreements directly with consumers. This document describes the processing of personal data of individuals who contact us on behalf of a customer organisation.
The full information notice under Article 13 of the GDPR is contained in section 4 (GDPR Notice).
5.2. Websites and cookies
We use only technical cookies necessary for the operation of the website. We do not use analytics, marketing, or advertising cookies. We do not track user activity.
5.3. Contact data
Data provided in the contact form is used solely to respond to the enquiry. After the matter is closed, the data is deleted, except where extended retention is required by a legal obligation or legitimate interest.
5.4. Trial versions
Data provided when downloading a trial version is used to make the software available and to communicate on technical matters relating to the trial version. The data is deleted after the trial period ends, unless a licence is purchased.
5.5. Licence purchase
Data provided at purchase is used to fulfil the order, issue accounting documents, and meet legal obligations. Licence holders are notified of critical security updates of the product.
5.6. Use of the software (on-premises model)
Ferro Backup System is installed in the customer's infrastructure. Ferro Software has no access to the customer's backup server, archives, or computers. We do not collect or store data processed by the customer using the program.
5.7. Diagnostic data and technical support
In the course of providing technical support, the Customer may — at their own discretion and on their own responsibility — share diagnostic materials with Ferro Software (system logs, memory dumps, configuration files, database fragments, recordings of support sessions, etc.). The Customer remains the sole controller of personal data in their organisation. The decision on the scope and method of sharing such materials is made by the Customer.
The Customer is required to anonymise or remove personal data from the materials shared before disclosing them. Should the materials shared by the Customer contain personal data that the Customer has not removed before sharing, Ferro Software handles them in accordance with the following principles:
- Purpose and legal basis of processing. The data is processed solely to resolve the reported technical issue, on the basis of Article 6(1)(f) of the GDPR (legitimate interest of the controller related to the performance of the service agreement with the Customer, and the legitimate interest of the Customer in obtaining technical support).
- Role of Ferro Software. Ferro Software acts as a separate controller of personal data for the narrow purpose of technical diagnosis and case handling, not as a data processor within the meaning of Article 28 of the GDPR. This Privacy Policy together with the GDPR Information Notice and the Terms and Conditions constitute the legal instrument governing such processing.
- Minimisation. The data is processed to the minimum extent necessary for the diagnosis, for the time limited to the case handling period.
- No secondary use. Diagnostic materials are not used for any other purpose — in particular they are not used to train models, are not profiled, are not used for marketing, and are not shared with third parties except as required by law.
- Security measures. We apply technical and organisational measures appropriate to the risk, in line with Article 32 of the GDPR.
- No transfer outside the EEA. Diagnostic materials are not transferred outside the European Economic Area.
- No subprocessing. We do not engage subprocessors for diagnostic materials received from the Customer in the course of technical support.
- Deletion. Diagnostic materials are deleted promptly after the case is closed, no later than the period required to ensure continuous handling of recurring problems of the same nature.
Ferro Software does not enter into separate Data Processing Agreements (DPA) as part of its standard commercial offering — contractual details are set out in Terms § 12 cl. 30.
5.8. Optional complementary services
We provide optional complementary services free of charge — a cloud panel for remote monitoring of backups and a relay server for connections over the public network. The use of these services is voluntary and is not required for the operation of the program.
When optional complementary services are enabled, we process the technical data necessary to provide them: instance identifier, backup job statuses, basic performance indicators, and the server IP address. We do not process the contents of archives or the data of the customer's end users. Remote assistance as part of technical support is provided exclusively at the explicit request of the customer and under the customer's control.
5.9. Marketing and analytics
We do not process data for marketing, profiling, or analytics purposes.
5.10. Rights of the data subject
The full list of rights is contained in the GDPR Information Notice. We accept requests via the contact form.
5.11. International data transfers
Should it become necessary to transfer data outside the European Economic Area, we will apply appropriate safeguards required by the GDPR.
5.12. Changes to this Policy
Changes to the Policy are published on this page with the effective date. They do not limit rights granted before the date of change.
5.13. Right to lodge a complaint
You have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.
5.14. Contact
Ferro Software, Tax ID (NIP): PL 9371213077, Business Registry No. (REGON): 240296776. Full details: contact.html.