Procurement

FormaOS supports ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, NIST CSF, and CIS Controls. Each pack includes mapped controls, evidence requirements, and audit-ready reporting outputs.

Customer data is hosted in Australia by default (AU region). Additional residency or transfer requirements are reviewed during procurement. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). A full subprocessor list with hosting regions is available at formaos.com.au/trust/subprocessors.

FormaOS is built on infrastructure providers that maintain their own SOC 2 reports (for example, hosting). FormaOS provides a security packet describing our application controls and data handling. If you require vendor assessment material beyond public positioning, we can discuss current third-party review artifacts during procurement when available and appropriate.

Yes. We provide a standard Data Processing Agreement that covers GDPR and Australian Privacy Act requirements. Enterprise customers can request a countersigned copy via our contact page.

Retention periods are configurable and can be tailored to your regulatory obligations. Compliance data, evidence artifacts, and audit trail records are exportable in portable formats such as CSV, JSON, and ZIP. Export windows and deletion timing are handled under your plan and commercial agreement.

Google OAuth is available for all plans. Enterprise plans can enable SAML SSO (metadata-based configuration, SP metadata + ACS endpoints, and signed assertion validation).

We follow a documented incident response process and notify customers in accordance with contract terms and applicable law. We provide impact assessments, mitigation actions, and post-incident learnings where appropriate.

Enterprise agreements can include documented availability expectations, incident handling, maintenance communications, and escalation paths in the executed MSA/SOW. Foundation and Growth operate with published support expectations and public status reporting at formaos.com.au/status.

Security review timelines depend on the scope of your questionnaire, legal process, and requested artifacts. We provide a pre-built Trust Packet with security overview, compliance mappings, and policy summaries to help teams start from current materials.

During early evaluation, teams can usually enable a primary framework, map existing evidence to controls, generate a posture snapshot, and review export-ready evidence packages. The exact pace depends on implementation scope and the quality of source material.