Skip to main content
FormaOS

Vendor Trust Packet

A procurement-ready PDF from current system status. Covers architecture, encryption, identity, data residency, subprocessors, and assurance commitments.

FormaOS Vendor Trust Packet (PDF)

Current version · Updated February 2026 · 6 sections · ~12 pages

Download PDF

What the packet covers

Security Posture Overview

  • Application security architecture and threat model summary
  • OWASP Top 10 coverage and mitigation approach
  • Penetration testing planned - findings classification and remediation tracking policy
  • Vulnerability disclosure and remediation tracking policy

Encryption & Access Controls

  • AES-256 encryption at rest - all tenant data and evidence artifacts
  • TLS 1.3 encryption in transit for all platform traffic
  • Role-based access controls with principle of least privilege
  • SAML 2.0 SSO configuration guide (Okta, Azure AD, Google Workspace)
  • MFA enforcement options for Enterprise tenants

Data Residency & Subprocessors

  • Default hosting: Australia (AU region)
  • Enterprise residency options: AU default (US / EU on roadmap) - configurable at onboarding
  • Subprocessor list with hosting regions and data processing purposes
  • Standard Contractual Clauses (SCCs) for international transfers
  • Data flow diagram from collection to storage to deletion

Infrastructure & Availability

  • Hosting provider SOC 2 reports available on request
  • Automated backup and point-in-time recovery
  • Enterprise uptime target: 99.9% monthly - incorporated in MSA/SOW
  • Incident response process and breach notification timelines
  • Planned maintenance window notification policy (48 hours minimum)

Compliance & Legal Artifacts

  • Data Processing Agreement (DPA) - countersigned copy available for Enterprise
  • Vendor assurance questionnaire pre-filled responses
  • Privacy Act 1988 (Australian Privacy Principles) alignment summary
  • GDPR data subject rights support overview
  • Penetration test executive summary (NDA required)

Assurance Clarifications

  • Aligned vs certified: honest positioning of our current assurance posture
  • What "aligned to SOC 2" means and what it does not claim
  • Third-party assessment approach and artifact sharing under NDA
  • How to escalate procurement questions to the FormaOS security team

Who this is designed for

The Trust Packet is designed to answer the first wave of questions from your security team, legal counsel, and procurement reviewers - before a formal vendor questionnaire arrives. It uses intentional "aligned vs certified" language so your team knows exactly what we are claiming and what we are not. For NDA-gated artifacts (penetration test executive summary), use the request form below.

Request NDA artifactsFull Security Review Packet
← Back to Trust CenterVendor Assurance Process