Security at Aformity

Aformity manages security as part of product development, customer onboarding, vendor selection, operational support, and incident response. Security decisions are evaluated in the context of the data onboarding workflow: what information is submitted, who needs access, how outputs are reviewed, and how customers use those outputs after export.

Our security program is designed to mature with the service and the customer base. Where a customer requires specific controls, documentation, contractual commitments, or procurement review, Aformity handles those requests case by case through the commercial or security review process.

Unless a specific commitment appears in a signed agreement or official security disclosure, customers should not treat this page as a representation that a particular certification, audit report, control framework, residency commitment, encryption configuration, access logging feature, or regulated-data program is currently available.

Aformity may process customer files, source records, destination schema definitions, field mappings, validation rules, cleanup rules, transformation instructions, import preparation outputs, comments, review decisions, and related operational metadata. The exact data processed depends on the customer's workflow and configuration.

Customers remain responsible for the accuracy, legality, completeness, and suitability of the data they submit. Aformity is a readiness layer for data onboarding; it is not the system of record and does not replace the customer's compliance, privacy, security, accounting, payroll, healthcare, financial, or legal review.

Customers should minimize submitted data to what is needed for the onboarding workflow. Unless expressly agreed in writing, customers must not submit protected health information, payment card data, government identifiers, children's data, credentials, secrets, or other regulated or highly sensitive information.

Security depends on the way customers configure and use the service. Customers are responsible for selecting appropriate users, protecting account credentials, limiting access to authorized personnel, reviewing prepared data before import, and maintaining backups or source-of-truth records outside Aformity.

Customers should review their own legal and compliance requirements before using Aformity for data that is sensitive, regulated, subject to residency restrictions, or subject to contractual handling obligations.

• Use only data that the customer is authorized to process and provide to Aformity.
• Remove unnecessary columns, records, secrets, and regulated fields before upload.
• Review mappings, transformations, validation results, and exports before using them in a production import.
• Promptly notify Aformity of suspected unauthorized access, credential exposure, or misuse of the service.

Aformity's product workflows are designed around the practical realities of import preparation: data intake, schema mapping, validation, transformation, review, export, and launch readiness. Product changes are evaluated for their effect on customer data handling, workflow reliability, and operational risk.

Aformity may monitor service operation, investigate suspected misuse or abuse, and suspend access where necessary to protect the service, customers, users, or third parties. Customers should treat generated or transformed outputs as materials requiring review, not as automatically approved production data.

Aformity limits operational handling of customer information to what is needed to provide, support, secure, debug, and improve the service. Access expectations, administrative roles, support access, and customer-side user management may be addressed in the applicable customer agreement or security review materials.

Customers are responsible for managing their own account users and internal approval process. Aformity may rely on customer administrators, implementation leads, or other authorized customer representatives for instructions about data submitted to the service.

Aformity may use third-party infrastructure, analytics, communications, support, security, and operational vendors to run the website, product, and business. Vendor and subprocessor commitments are handled through applicable customer agreements, procurement reviews, or security review materials when available.

Aformity does not currently publish a public named subprocessor list from this page. Customers that require vendor-specific information, geographic commitments, or subprocessor review should contact Aformity before submitting customer content that is subject to those requirements.

Aformity expects to operate primarily from Australia and may support customers and users in the United States and other locations. Customer content, account information, support information, and usage data may be processed by Aformity or its service providers outside the customer's location unless a written agreement says otherwise.

Customers with data residency, cross-border transfer, government access, or regional privacy requirements should raise those requirements during procurement or before uploading customer content.

Aformity's incident response approach is designed to identify, assess, contain, investigate, and remediate suspected security incidents. If Aformity determines that an incident affects customer data, Aformity will notify affected customers as required by applicable law and any applicable written agreement.

Customers should report suspected security issues, unauthorized account activity, exposed credentials, or unexpected data access promptly so Aformity can investigate.

Aformity is not currently presented as a HIPAA-compliant, payment-card-compliant, government-classified, or regulated-industry data platform. Customers should not use Aformity for regulated or high-risk data unless Aformity has expressly agreed to that use case in writing.

Examples of data that should not be uploaded without written approval include protected health information, payment card data, tax identifiers, government identifiers, background check data, biometric information, precise geolocation, secrets, passwords, private keys, children's data, and data subject to strict residency or sector-specific obligations.

Security questionnaires, procurement reviews, data processing questions, and enterprise contracting requests can be sent to hello@aformity.com. Aformity will provide available documentation and discuss appropriate contractual commitments based on the customer relationship, data involved, and intended use of the service.