Skip to main content
Skip to main content
FormaOS
Enterprise Review

Security Review Packet for Enterprise Buyers

The core materials enterprise security, legal, and procurement teams usually review first: encryption, SSO, data handling, assurance posture, and DPA context.

Book Security ReviewDownload Trust Packet

Security architecture overview

  • Multi-tenant architecture with Row-Level Security (RLS), strict org boundary enforcement at the database layer
  • Application-layer authorization with RBAC model and segregation of duties across all compliance workflows
  • Change management controls: code review, CI/CD pipeline gates, staging environments, and rollback procedures
  • Infrastructure hosted on enterprise-grade cloud providers with automatic failover and disaster recovery
  • Network segmentation and firewall rules enforcing least-privilege access between services
  • Dependency scanning and vulnerability management integrated into the development lifecycle

Identity, auth, and SSO

  • Google OAuth on all plans; SAML 2.0 SSO ships pre-wired for Microsoft Entra ID (Azure AD) and Google Workspace on Enterprise. SAML 2.0 is standards-compliant, so additional IdPs (Okta, OneLogin, etc.) are supported on request during procurement rather than listed as pre-built connectors.
  • MFA policy enforcement with configurable session duration and idle timeout controls
  • Enterprise identity reviews cover lifecycle-management requirements, including joiner/mover/leaver workflows and provisioning expectations
  • Role-based access control with granular permissions: admin, compliance lead, reviewer, auditor, read-only
  • Session management with forced re-authentication for sensitive operations (evidence approval, user management)
  • SSO enforcement mode: block password login when SSO is configured to prevent shadow authentication

Data handling and encryption

  • AES-256 encryption at rest and TLS 1.3 in transit across production data flows
  • Evidence chain-of-custody metadata: uploader identity, verifier, timestamps, and control linkage preserved
  • Retention policies aligned to your regulatory requirements with configurable retention periods per data type
  • Structured export and data portability workflows are available, with exact exit timelines handled contractually
  • Backup encryption with separate key management, backups are encrypted independently of primary storage
  • No data sharing with third parties beyond documented subprocessors; subprocessor list publicly available

Audit logging and evidence defensibility

  • Tamper-evident, immutable audit logs for every compliance action, timestamped, uneditable, and append-only
  • Evidence verification workflow with approval, rejection, and segregation controls fully documented
  • Framework-mapped audit bundles are exportable for regulator, auditor, or board review
  • User activity logs: login history, permission changes, evidence access, and administrative actions recorded
  • Evidence versioning: superseded artifacts are retained with full version history and reason-for-change
  • Audit log retention is configurable according to contractual and regulatory requirements

Operational assurance and residency

  • AU-based hosting by default, with additional residency requirements reviewed during procurement
  • Independent security review approach and current assessment artifacts shared during enterprise review when available and appropriate
  • DPA (Data Processing Agreement) covering GDPR and Privacy Act 1988 obligations, available pre-signature
  • Vendor assurance materials are available during procurement review as applicable
  • SLA and incident-response commitments are documented in enterprise agreements where applicable
  • Public status visibility and contractual service commitments are handled separately and described conservatively

Security Review Checklist

The items below match typical procurement questionnaires. If your organization needs additional detail (DPA, vendor risk artifacts, or proof-of-control screenshots), we can support that during the walkthrough.

Visit Trust CenterSecurity Review FAQ
Data flow diagram (high level) + tenant isolation model (RLS posture)
Authentication methods, Google OAuth, SAML 2.0 SSO, MFA enforcement
AES-256 at rest + TLS 1.3 in transit encryption confirmation
Evidence storage approach, access controls, and chain-of-custody metadata
Audit logging coverage, tamper-evident history, and export capabilities
AU-hosted deployment posture and DPA documentation
Current assessment and remediation materials, when available for buyer review
Incident response posture and operational escalation contacts
Data portability confirmation, portable export and contract-defined deletion timelines
Subprocessor list with data categories, locations, and processing purposes
Business continuity and disaster recovery posture (RPO/RTO targets)
Vendor risk management, third-party dependency governance and review cadence

Note: Content here describes the FormaOS review experience. Do not treat it as a formal certification claim.