The Top 5 Fulcrum Data and Security Questions: Answered

CTO Jon Gregorowicz and Engineer James Santiago answer the most common questions we get about Fulcrum's data and security practices.

Navigating the complexities of data and security can be daunting. We've gathered the five most frequently asked questions on this topic and tapped our CTO, Jon Gregorowicz, and James Santiago, an engineer and Cybersecurity Adjunct Professor at the University of Texas in San Antonio, to provide expert insights on Fulcrum's approach to data storage and security.

1. Is my data secure in the cloud?

When looking at cloud data security, it is important that data is both encrypted at rest and in transit.

What does it mean for data to be encrypted at rest? In transport?

Data encrypted in transport means it is encrypted when transmitted from one system to another. Data encrypted at rest means data is encrypted on the hard disc of a computer storage device.

Fulcrum takes data security seriously, ensuring data is encrypted both at rest and in transport. By hosting our services on Microsoft's Azure Cloud platform, we leverage the same high-security standards used by major companies like Dow Chemical, Airbus, 3M, and Toyota. Azure Cloud provides a secure, resilient, and highly available environment — ensuring data is accessible to authorized users when needed.

2. Who owns and has access to my data?

At Fulcrum, you own your data. We do not sell it to third parties, and if you ever leave Fulcrum, we will provide an export for you. Access control is primarily managed by you, with customizable roles and permissions within the system. Fulcrum employees may access data for training or diagnostic purposes, but only when necessary.

3. How long is data stored, and are there backups?

Fulcrum supports various data retention policies, whether driven by internal compliance requirements for ISO 9001  or industry standards like AS9100. We take backups of databases on hourly, daily, weekly, and monthly cadences to ensure data integrity and availability, even in cases of accidental deletion.

4. Do you support ITAR-compliant manufacturers?

Yes, Fulcrum supports ITAR-compliant manufacturers working with defense contractors, the DOD, or defense manufacturing. We host ITAR-compliant sites in Azure's Gov Cloud, a secure environment similar to the public cloud but with added ITAR and FedRAMP compliance benefits.

5. What about Cybersecurity Maturity Model Certification (CMMC)?

CMMC is an increasingly important requirement for manufacturers, particularly those seeking contracts with the Department of Defense. This certification model mirrors ISO 27001 and NIST 800 series certifications. Fulcrum provides the necessary artifacts, data, logs, and representations to help clients achieve or maintain various CMMC certification levels.

Fulcrum's dedication to data and security guarantees the protection, accessibility, and compliance of your data in line with industry benchmarks. If you questions we didn’t cover here, feel free to reach out to our sales team or schedule some time to chat.


Hi, I'm John. I'm the CTO here at Fulcrum. Now, I'm James. I'm an engineer here and also an Adjunct professor of cybersecurity at the University of Texas in San Antonio. And today, we will be answering the top five questions we frequently get about data and security.

So the first question we have is:

Is my data secure? And more specifically, is the cloud secure? Here at Fulcrum, we do care about security. It's not a secondary concern for us, and there are a few different things that we do look at when it comes to security, primarily when it comes to your data; we're looking at is your data encrypted at rest. Basically, meaning that once we throw that data on our hard drive, is it encrypted? The other part of that is: Do we encrypt it in transport when we send that data to you and your browser? Is that encrypted? And it is. And how we achieve this is we host our services and Microsoft's Azure Cloud platform.

Yeah, and one of the reasons that we chose Microsoft Azure is because there are a lot of other large companies on Microsoft Azure that you've probably heard of: Dow Chemical, Airbus, 3M, Toyota — really just a handful of companies out of the hundreds that are of large scale systems that are on Microsoft Azure. I've worked with a few companies in the past to have been nervous about going from an on-prem system to a cloud-based system either for security concerns or even just kind of data access concerns, and one company that comes into mind was a company based out of New York City that I worked with that had an on-prem system in their data warehouse just in New York City when Hurricane Sandy hit it caused a power outage and corrupted a bunch of that data. They lost about 20 years of data in their system. That just wouldn't happen on a cloud-based system.

Right. And that's the other side of security — that not only is the confidentiality of your data important, but also the availability of that data, and with Microsoft's Cloud platform, we're able to use several different services to provide that availability to you. We leverage backups and recovery-type security controls to make sure that access to that data is given to those who are authorized as well as several redundancy and resiliency controls such as load balancing and other services to make sure that your data is available to you when you need it. So is your data secure and is Fulcrum secure? Yes.

Who owns our data, and who has access to our data? This is a question that we get a lot with Fulcrum. You own your data. We don't sell your data to any third parties. And, should you ever leave Fulcrum, We will provide an export for you to take with you. As for who has access to it, you primarily control that. We have many different access controls and roles within the system that you can define to assign permissions to either grant access or restrict access to whoever you invite into your system. Outside of that, Fulcrum employees may need access from time to time, primarily for training or diagnostic purposes.

How long do you store data, and are there backups? We see this with a lot of different manufacturers who are looking to have a data retention policy, whether it's something that's driven internally — such as trying to stay compliant with the ISO 9001 quality. Or, they have a hard data retention policy of something like 10 years from AS9100. And whatever that is, we are prepared to support that sort of data retention. We do take backups of databases on an hourly, daily, weekly, and even monthly cadence so that if there is an issue with data integrity — you've accidentally deleted something, which is, you know, certainly a possibility — we are prepared to recover that data for you.

Do you support manufacturers who need to be ITAR compliant? If you work with any defense contractors with the DOD or really in any defense manufacturing, you may need to follow the International Traffic in Arms Regulations or ITAR. We do support ITAR manufacturers. We will host your site in Azure's Gov Cloud, which is very similar to the public cloud, but with the added benefit of being ITAR and FedRAMP compliant. In addition to that, we make sure to silo our system to remain NIST compliant as well. So things like Google Drive integrations or Autodesk's public cloud, we cut off connections to clouds that we don't control and that are not ITAR compliant. 

What about CMMC or the Cybersecurity Maturity Model Certification? There are a lot of manufacturers starting to see this as an upcoming requirement, especially when it comes to contracts for the Department of Defense. It is a fairly new certification model that kind of mirrors ISO 27001 and NIST 800 series certifications. And when it comes to whether you're doing a Level 1 certification through a self-assessment or you're bringing in the auditor to achieve a Level 3 certification, we're there to provide you with the artifacts, the data, the logs, the representation that you've satisfied these controls so that you can either become certified or continue to show that you are still certified.

These were the five most common questions that we get around data and security. But if you have any more questions, feel free to leave them in the comments or talk to our sales team.

Ready for more? Schedule a demo.