Vendor Trust Packet
A downloadable PDF built from current review materials. Covers architecture, encryption, identity, data handling, subprocessors, and assurance context.
FormaOS Vendor Trust Packet (PDF)
Current version · Updated February 2026 · 6 sections · ~12 pages
What the packet covers
Security Posture Overview
- Application security architecture and threat model summary
- OWASP Top 10 coverage and mitigation approach
- Security review approach, findings classification, and remediation tracking policy
- Vulnerability disclosure and remediation tracking policy
Encryption & Access Controls
- AES-256 encryption at rest - all tenant data and evidence artifacts
- TLS 1.3 encryption in transit for all platform traffic
- Role-based access controls with principle of least privilege
- SAML 2.0 SSO configuration guide (Okta, Azure AD, Google Workspace)
- MFA enforcement options for Enterprise tenants
Data Residency & Subprocessors
- Default hosting: Australia (AU region)
- AU-hosted by default, with additional residency requirements reviewed during procurement
- Subprocessor list with hosting regions and data processing purposes
- Standard Contractual Clauses (SCCs) for international transfers
- Data flow diagram from collection to storage to deletion
Infrastructure & Availability
- Hosting provider SOC 2 reports available on request
- Automated backup and point-in-time recovery
- Availability expectations and support terms reviewed during the contract process
- Incident response process and breach notification timelines
- Maintenance communication and change management policy
Compliance & Legal Artifacts
- Data Processing Agreement (DPA) - countersigned copy available for Enterprise
- Vendor assurance questionnaire pre-filled responses
- Privacy Act 1988 (Australian Privacy Principles) alignment summary
- GDPR data subject rights support overview
- Current third-party assessment or review artifacts, when available, may be shared during review
Assurance Clarifications
- Aligned vs certified: honest positioning of our current assurance posture
- What "aligned to SOC 2" means and what it does not claim
- Third-party assessment approach and artifact sharing during buyer review when appropriate
- How to escalate procurement questions to the FormaOS security team
Who this is designed for
The Trust Packet is designed to answer the first wave of questions from your security team, legal counsel, and procurement reviewers during early evaluation. It uses intentional "aligned vs certified" language so your team knows exactly what we are claiming and what we are not. For additional restricted artifacts, use the request form below.