LEGAL
Security
Last Updated: March 4th, 2026
We understand that entrusting us with your data requires trust and we don’t take that lightly. Security and privacy have been built into FMClarity from the start. Here’s how we protect what matters to you.
Data protection and infrastructure
Where your data lives
All customer data is hosted on AWS in Australia. Primary data in Sydney; backups replicated to Melbourne for disaster recovery.
Multi-layered security
Encryption at rest
AES-256 on production databases, object storage, and block storage. Backups are encrypted and stored in Melbourne.
Encryption in transit
TLS 1.3 or higher for all connections to and from our services.
Network segmentation
DMZ, application tier, and database tier. Security groups and firewalls restrict access; firewall activity is logged.
Regional hosting
Data is stored and processed in Australia. Support and maintenance access is performed by our personnel from Australia.
Access controls an internal safeguards
Only those who need production access have it. Access is granted on a need-to-know basis with role-based controls, formal authorisation, and periodic reviews.
How we control access
Multi-factor authentication (MFA)
Required for the team logins.
Access reviews
Annual full review; quarterly for critical systems; monthly for office access and inactive accounts. Leavers’ access is revoked at offboarding.
Role-based access
Documented authorisation; privileged access restricted and subject to increased review.
Remote access
VPN with two-factor authentication for staff accessing the network.
Compliance and standards
Privacy Act Compliant
ISO 27001
We maintain an ISMS aligned with ISO/IEC 27001:2022. Risk assessment and treatment apply across the scope; risk ownership and treatment plans are documented.
Cloud provider
AWS is certified to ISO 27001, 27017, 27018 and holds ACSC PROTECTED certification.
People and suppliers
Security awareness training
All employees and contractors on hire and at least annually. Role-specific training where applicable.
Sub-processors
Disclosed in our Data Processing Addendum, contractually required to protect data, assessed, and customers notified of changes.
Product security features
SSO/SAML
API Keys
OWASP/SAST
KMS
Enterprise authentication
Single Sign-On (SSO) and SAML.
API keys: Authorised users can create and revoke API keys in the application; revoked keys cease to be valid immediately.
Secure development
Application security: OWASP-aligned input validation, output encoding, and secure APIs with authentication, authorisation, and rate limiting.
Secrets management: Credentials and keys stored in a managed secrets store; no secrets in source code or config.
Secure testing: SAST and SCA in CI on every relevant change and at least daily; DAST on non-production on every deployment and at least weekly.
Security testing and monitoring
Continuous security validation
External penetration testing: Annually by a qualified third party. Findings are tracked and remediated.
Vulnerability scanning: Vulnerabilities are logged and tracked across all platforms.
Dependency scanning: Open-source and container dependencies scanned in CI; findings triaged and remediated to defined SLAs.
Threat assessments: Annual threat assessment with a qualified partner.
[LOG_INFO]
System-level logging active
[LOG_PROT]
Access restricted to authorised personnel
[LOG_REQ]
Investigations via incident procedures
Logging and investigations
We maintain infrastructure- and system-level logging for our operations. Access to logs is restricted to authorised personnel. We do not provide customers with direct access to or export of logs. Contact us to request an investigation; we respond in line with our incident and support procedures.
