Every change,
shipped transparently

Two compliance verticals, mental-health services and Australian financial services, join NDIS, so providers in those sectors start against a real control set instead of a blank framework. Several capabilities that existed in the data model but had no way in, structured incident investigations, regulatory-notification tracking, the medication chart’s add action, executive-digest scheduling, are now wired end to end. The automation engine that had been dormant since we removed the external task runner runs again, this time on the platform’s own scheduler.

A full visual rebrand. The product is now FORMAOS, with a charcoal wordmark and an “FO” monogram in place of the previous cyan shield, and a near-monochrome palette across the app, the marketing site, the sign-in screens, email and PDF exports. Alongside the new look, every marketing claim was re-checked against what the codebase actually does, invented personas, round-number metrics and any statement the product could not stand behind were removed.

The audit trail moves from a plain hash chain to a keyed, externally-anchored one, and customers can now verify it themselves without having to trust us. New public pages give procurement and security reviewers the evidence they ask for: a live status page and a self-serve audit-bundle verifier. Account security gains login lockout and tighter MFA handling, evidence files are hashed on upload and re-checked on download, and GDPR erasure now runs as a queued, auditable purge.

Audit re-pass on the v4.0 Foundation Audit work. Two independent passes, a fresh end-to-end audit and a verification of the resulting fix sweep, surfaced gaps that a single pass missed: a cross-org permission leak, a defence-in-depth IdP-init SAML gate, billing webhooks that could be steered by attacker-controlled metadata, three silent try/catch blocks in the compliance evaluator, and care-plan mutations on PHI that had no audit trail. Thirty PRs landed (v4-001 through v4-031). This release block is what changed in the final round plus the substantive themes from the sprint as a whole.

Per-control evaluator infrastructure for SOC 2 and ISO 27001, typed registry, expanded framework packs to standard control counts, twelve working SOC 2 evaluators, real PDF report engine with brand typography, and a production-database bootstrap that finally landed eleven outstanding April migrations.

Wide-spectrum audit pass across authentication, authorisation, billing, observability, compliance honesty, and CI discipline. Closed seven blockers and thirteen high-severity findings identified during a from-scratch code-and-runtime review. Real row-level security replaces never-evaluated placeholder policies on fourteen multi-tenant tables; MFA is enforced at login rather than enrolled-then-ignored; trust packets are signed; CI gates actually block merges.

Evidence and audit integration pass: obligation uploads now write to Supabase storage, evidence rows link back to obligations and typed entities, the obligations register reads real evidence counts, and audit-trail activity is available through a new entity-filtered API.

Enterprise marketing overhaul: 100x homepage upgrade with social proof and visual refresh, enterprise marketing pages Phase 1 & 2, Stripe webhook billing fix, Tailwind class audit with legacy btn migration, and reduced layout bloat across all marketing pages.

Product maturity and growth sprint: full billing, emails, onboarding, and monitoring infrastructure, comprehensive SEO engine with IndexNow and structured data, LCP performance fix from 4.2s to sub-2s, enterprise theme upgrade across all 5 themes, blog internal linking, and updated marketing mockups.

Quality and performance sprint: TypeScript any cleanup across 65+ files, admin command center decomposition from 1,908 to 303 lines, 47 WCAG 2.1 AA accessibility fixes, mobile responsiveness for 6 pages, statement coverage from 53% to 55% with 200+ new tests, and performance validation with clean production build.

Master sprint: guided onboarding wizard, demo seed data for 6 industries, financial services compliance dashboard, branch coverage from 34% to 50%, TypeScript any cleanup across 50 files, and employer dashboard decomposition from 1,840 to 528 lines.

Enterprise governance expansion: framework cross-mapping, task management, usage analytics, permissions matrix, policy lifecycle, document retention, org branding, dashboard builder, integration marketplace, and enhanced audit trail.

Platform infrastructure overhaul: third-party integrations, threaded comments, report generator, webhook relay, evidence versioning, risk analytics, AI insights, email system, compliance scanner, dashboard widgets, API v1, and scheduled tasks.

AI-powered compliance assistant, SOC 2 self-certification engine, and automated evidence collection.

Major release: SCIM 2.0, compliance gates, risk heatmap, and workflow automation.

SOC 2 framework, evidence vault with SHA-256, and immutable audit trail.

Initial launch with ISO 27001 framework pack and core compliance platform.