LEGAL
Security
Last Updated: March 4th, 2026
We understand that entrusting us with your data requires trust and we don’t take that lightly. Security and privacy have been built into FMClarity from the start. Here’s how we protect what matters to you.
Data protection and infrastructure
Where your data lives
All customer data is hosted on AWS in Australia. Primary data in Sydney; backups replicated to Melbourne for disaster recovery.
Multi-layered security
Encryption at rest: AES-256 on production databases, object storage, and block storage. Backups are encrypted and stored in Melbourne.
Encryption in transit: TLS 1.3 or higher for all connections to and from our services.
Network segmentation: DMZ, application tier, and database tier. Security groups and firewalls restrict access; firewall activity is logged.
Regional hosting
Data is stored and processed in Australia. Support and maintenance access is performed by our personnel from Australia.
Access controls an internal safeguards
Only those who need production access have it. Access is granted on a need-to-know basis with role-based controls, formal authorisation, and periodic reviews.
How we control access
Multi-factor authentication (MFA): Required for the team logins.
Role-based access: Documented authorisation; privileged access restricted and subject to increased review.
Access reviews: Annual full review; quarterly for critical systems; monthly for office access and inactive accounts. Leavers’ access is revoked at offboarding.
Remote access: VPN with two-factor authentication for staff accessing the network.
Compliance and standards
ISO 27001
We maintain an ISMS aligned with ISO/IEC 27001:2022. Risk assessment and treatment apply across the scope; risk ownership and treatment plans are documented.
Cloud provider
AWS is certified to ISO 27001, 27017, 27018 and holds ACSC PROTECTED certification.
People and suppliers
Security awareness training: All employees and contractors on hire and at least annually. Role-specific training where applicable.
Sub-processors: Disclosed in our Data Processing Addendum, contractually required to protect data, assessed, and customers notified of changes.
Product security features
Enterprise authentication
Single Sign-On (SSO) and SAML.
API keys: Authorised users can create and revoke API keys in the application; revoked keys cease to be valid immediately.
Secure development
Application security: OWASP-aligned input validation, output encoding, and secure APIs with authentication, authorisation, and rate limiting.
Secrets management: Credentials and keys stored in a managed secrets store; no secrets in source code or config.
Secure testing: SAST and SCA in CI on every relevant change and at least daily; DAST on non-production on every deployment and at least weekly.
Security testing and monitoring
Continuous security validation
External penetration testing: Annually by a qualified third party. Findings are tracked and remediated.
Vulnerability scanning: Vulnerabilities are logged and tracked across all platforms.
Dependency scanning: Open-source and container dependencies scanned in CI; findings triaged and remediated to defined SLAs.
Threat assessments: Annual threat assessment with a qualified partner.
Logging and investigations
We maintain infrastructure- and system-level logging for our operations. Access to logs is restricted to authorised personnel. We do not provide customers with direct access to or export of logs. Contact us to request an investigation; we respond in line with our incident and support procedures.
