Compliance infrastructure
built for accountability
Built for regulated teams where compliance failure has real consequences, and leadership needs more than a spreadsheet to prove control.
Operational Signal
Across Every Control Surface
A live strategic view of how governance, evidence, and accountability stay synchronized for regulated teams operating at enterprise scale.
Built by operators, for operators
Ejaz Hussain
Founder & Chief Engineer
Adelaide · Building FormaOS since 2022
FormaOS is my first project in compliance infrastructure. I've been writing it from Adelaide since 2022, fitting it around freelance work: websites and web apps for whoever was paying that month. FormaOS was always the bigger thing, the one I actually cared about. I just needed the freelance to fund the runway.
Compliance picked me as much as I picked it. Australian regulators have spent the past decade tightening expectations on NDIS providers, aged-care operators, healthcare networks, and AFS licensees. The software answering that pressure has, almost without exception, stayed at the level of a document repository with a workflow tab on top. I kept looking at it and thinking the actual problem was an engineering one. There was no executable layer connecting an obligation to a control to a task to a piece of evidence to an auditor who could verify any of it. Nobody was building that. So I started.
Today FormaOS ships 252 control evaluators across framework packs spanning SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, CIS, NIST CSF and NDIS. Over a hundred auto-evaluate against your live data; the rest are surfaced as human attestations and labelled as such. The audit log is hash-chained in Postgres, with append-only enforced at the database layer by an immutability trigger and RLS deny policies, not application code, and the chain head anchors daily at 05:30 UTC to Sigstore Rekor, the same transparency log the Linux Foundation uses for signed open-source releases. It's bootstrapped, sole-engineered, AU-hosted. The roadmap is short on purpose.
Why FormaOS Exists
Regulated organizations face a structural gap: governance requirements that grow faster than the tools available to meet them.
Mission
Deliver operational clarity for regulated industries by connecting controls, evidence, and accountability in a single compliance operating system.
Why it matters
Regulators expect defensible evidence, not just documentation. FormaOS provides the audit trail and proof required to protect leadership teams and their organizations.
The problem we solve
Compliance teams are stuck managing obligations across spreadsheets, shared drives, and disconnected tools, with no single source of truth when auditors arrive.
Our commitment
FormaOS is built for the organizations where compliance failure has real consequences, clinical, financial, reputational. We take that accountability seriously.
What We Stand For
These aren't aspirational values on a poster. They're engineering decisions that shape every feature we ship.
Transparency over promises
We make security review material available early in evaluation. Our architecture, encryption, and operating controls are documented clearly, and any restricted artifacts are handled deliberately rather than oversold in public copy.
Infrastructure over features
We build compliance infrastructure, not a feature checklist. Every capability connects to the operating model: controls link to evidence, evidence links to owners, owners link to audit trails.
Execution over documentation
Documentation without execution is liability. FormaOS enforces compliance as work: tasks with deadlines, evidence with verification, controls with named owners, not PDFs in a folder.
Accountability over aspiration
We build for organizations where compliance failure has real consequences, sanctions, registration loss, enforcement actions. Our platform is designed for the teams regulators hold accountable.
Operational Proof, Not Promises
These are the outcomes regulated teams achieve when compliance runs as infrastructure.
Framework-mapped evidence bundles generated on demand, no manual reconstruction
ISO 27001, SOC 2, NDIS, NSQHS, RACGP, Essential Eight, HIPAA, GDPR, PCI-DSS
Every control has a named owner, review cadence, and evidence trail, no orphaned obligations
Teams reduce audit preparation from weeks to hours with continuous compliance posture
Who We Serve
FormaOS is purpose-built for organizations operating in regulated environments where accountability is mandatory, not aspirational.
Healthcare Providers
Clinical governance, credentialing, incident response, and accreditation evidence
AHPRA, NSQHS, RACGP, Privacy Act
NDIS & Aged Care
Practice standards compliance, SIRS reportable incidents, worker screening
NDIS Commission, Aged Care Quality & Safety Commission
Financial Services
Regulatory breach reporting, CPS 234 controls, board governance evidence
ASIC, APRA, AUSTRAC, AML/CTF Act
Government Bodies
Protective security obligations, information security controls, audit readiness
PSPF, ISM, Essential Eight, Privacy Act
Education & Workforce
Quality framework compliance, workforce credentials, WHS obligations
ACECQA, NQF, WWC, SafeWork
Technology & SaaS
Information security governance, vendor assurance, continuous compliance
ISO 27001, SOC 2, GDPR, HIPAA
The audit trail never lies
Every action timestamped, attributed to a role, and preserved, exactly as regulators expect. Illustrative sample.
See the compliance operating system in action
We work with regulated operators who need certainty, defensible evidence, and the operational infrastructure to prove it. Request a scoped compliance plan and evaluate FormaOS against your operating requirements.