Security Review FAQ
Written for security, compliance, and procurement reviewers. This page avoids inflated claims and uses contract-accurate language.
Do you support SAML SSO?▾
Yes for Enterprise plans. FormaOS supports a Service Provider (SP) SAML flow with per-org SP metadata and ACS endpoints, plus signed assertion validation.
Do you support SCIM provisioning?▾
Not currently as a first-party implementation. If SCIM is required, raise it during procurement so we can confirm scope. In the meantime, FormaOS supports a JML (Joiner/Mover/Leaver) admin workflow: owners/admins bulk-invite users, adjust roles, and deactivate access, with actions recorded in the audit trail.
What is your JML (Joiner/Mover/Leaver) workaround without SCIM?▾
Owners/admins can manage identity lifecycle directly: (1) Joiner: bulk invite users by email with initial roles, (2) Mover: change roles and access permissions as responsibilities change, (3) Leaver: deactivate/lock users and revoke active sessions. These changes are auditable, and you can export audit logs as procurement evidence.
Do you support MFA?▾
Yes. FormaOS supports TOTP-based MFA with backup codes. MFA enforcement can be applied for privileged roles depending on your governance posture.
How is tenant isolation enforced?▾
Tenant isolation is enforced at the database layer using row-level security (RLS) policies scoped to organization membership.
Is there audit logging?▾
Yes. FormaOS maintains immutable audit trails for sensitive actions and security-relevant operations. Export actions are traceable.
Is data encrypted in transit and at rest?▾
Yes. Data is encrypted in transit and at rest using infrastructure primitives and platform security controls.
Is “end-to-end encryption” supported?▾
No. FormaOS uses standard encryption in transit and at rest. We do not claim application-layer end-to-end encryption.
Do you have a SOC 2 Type II report for FormaOS as a vendor?▾
If you require a vendor SOC 2 report, raise it during procurement. FormaOS uses “aligned vs certified” wording intentionally: aligned means controls are modeled and operational artifacts can be produced, certified requires an independent audit of FormaOS as a vendor.
Do you provide a vendor assurance artifact (pen test / independent assessment)?▾
We provide a vendor assurance process and can share current independent assessment artifacts during buyer review when available and appropriate. See the Vendor Assurance page in the Trust Center for scope, cadence, and request process. We avoid public certification claims unless an independent audit report exists for FormaOS as a vendor.
Do your infrastructure providers have compliance reports?▾
Yes. Our infrastructure vendors maintain their own compliance reports (e.g., SOC 2) which can be provided via vendor documentation as part of your review process.
Where is customer data hosted?▾
Customer data is hosted on Supabase (PostgreSQL + object storage) and delivered via Vercel. If your review requires exact regions, request the current region and subprocessor details.
Do you provide a subprocessor list?▾
Yes. A maintained subprocessor list is available in the Trust Center.
Do you sign a Data Processing Agreement (DPA)?▾
Yes. We provide a standard DPA summary for enterprise review and can countersign as part of procurement.
What is your incident response process?▾
FormaOS follows a documented incident response process with investigation, remediation, and customer communication in accordance with contractual and legal requirements.
What is your incident notification timeframe?▾
Notification timelines are governed by contract terms and applicable law. We avoid universal promises on a public page so that commitments remain contract-accurate.
Do you have an uptime SLA?▾
Enterprise agreements can include SLA terms. We also publish status and uptime checks on our public status page.
Do you have a public status page?▾
Yes. A status page with published uptime checks is available publicly.
How do you handle backups and recovery?▾
Backups and recovery are handled via infrastructure capabilities and operational processes. Details can be provided during procurement.
How do you limit access internally?▾
Administrative access is controlled by role-based access controls and environment separation. Production access is restricted and security-relevant actions are auditable.
Do you support data export and portability?▾
Yes. FormaOS supports audit-ready exports and enterprise data exports for portability, subject to access controls and compliance gates.
Can we delete our data?▾
Yes. Deletion workflows are supported and timelines are defined contractually. Written confirmation can be provided upon completion.
Do you support customer-managed encryption keys (CMEK)?▾
Not currently. If CMEK is required, raise it during procurement so we can confirm feasibility against infrastructure constraints.
Do you support logging exports for SIEM?▾
Audit logs are exportable. If you need SIEM streaming, confirm requirements during security review.
Do you support sandbox environments?▾
Not currently as a first-party “sandbox” mode. Enterprise rollouts typically use separate environments by agreement.
What access model do users have?▾
FormaOS uses role-based access controls (RBAC). Permissions are scoped to organization membership and privileged actions are restricted to owner/admin roles.