Formbird Platform Security Policy

Version: 1.2 | Last Updated: July 2025

1. Purpose

This security policy outlines the controls, practices, and principles that govern the security of the Formbird Platform — a low-code application environment powering solutions such as Formbird FLEET. It affirms our commitment to data protection, continual improvement, and the active involvement of all staff and partners in maintaining a secure digital ecosystem.

Security at Formbird is not an afterthought. It is embedded in every level of our infrastructure, development, deployment, and support practices. This document reflects our shared responsibility model, where everyone from developers to customer success managers contributes to a safe, resilient, and trusted platform.

2. Scope

This policy applies to:

  • All Formbird personnel and contractors.
  • All systems, applications, data, and infrastructure that comprise the Formbird Platform.
  • All customer data and services hosted under our Software as a Service (SaaS) delivery model.

It specifically includes our hosting environment at Equinix ME1 in Port Melbourne, a Tier 3, ISO-certified data centre meeting global standards for physical and digital security.

3. Hosting Environment & Physical Security

3.1 Strategic Hosting Location

Formbird infrastructure is hosted in the Equinix ME1 International Business Exchange™ data centre, located at 578 Lorimer Street, Port Melbourne, Victoria. This purpose-built, standalone facility is situated just 2.5 km from Melbourne’s commercial centre and provides high availability infrastructure for mission-critical applications.

3.2 Facility Certifications

Equinix ME1 has achieved multiple internationally recognised certifications that ensure robust security, operational continuity, and compliance:

  • ISO 27001 – Information Security Management
  • SOC 1 & SOC 2 Type II – Internal control and audit compliance
  • PCI DSS – Secure handling of sensitive data
  • ISO 22301 – Business Continuity
  • ISO 9001 & ISO 14001 – Quality and environmental controls
  • LEED Silver – Green building certification

3.3 Power, Cooling, and Redundancy

  • 2.5–4.5 kVA per cabinet with N+1 cooling and block‑redundant UPS
  • Five 2,250 kVA diesel generators
  • 48-hour backup fuel supply
  • Raised floors and dual power feeds ensure energy resilience

3.4 Network & Interconnectivity

  • Direct access to over 50+ network providers
  • Connected to AWS, Azure, Google Cloud, and other ecosystems
  • Dark fibre links to Sydney-based disaster recovery zones
  • Cross connects to VIC-IX and other Internet Exchanges

3.5 Physical Security Controls

  • 24/7 on-site security staff
  • Mantrap entries, biometric scanners, and smartcard access
  • CCTV with motion detection and 30+ day video retention
  • Steel-reinforced structure with double-interlocked sprinkler systems

4. Platform Architecture & Technical Controls

4.1 System Design & Delivery Model

Formbird is delivered as a fully managed, browser-based SaaS platform with no client-side installations required. All application logic and data reside securely in the cloud.

  • Data Sovereignty: 100% Australian-hosted and operated
  • Redundancy: Built-in failover and backup systems
  • Daily Backups: Retained for 14 days, encrypted in storage
  • Disaster Recovery: RTO < 4 hours, RPO < 24 hours
  • Uptime Target: ≥ 99.5%

4.2 Encryption & Data Protection

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for all data in transit
  • Role-Based Access Control (RBAC) with field-level permissions
  • Multi-Factor Authentication (MFA) for privileged roles

4.3 Identity & Access Management

  • SSO support via MS Active Directory and other identity providers
  • Configurable permission sets based on user role and department
  • Audit logging of all login attempts, form submissions, and system changes

5. Secure Development Practices

5.1 Secure Software Development Lifecycle (SDLC)

  • Code changes follow a controlled lifecycle with peer review
  • Static and dynamic code scanning tools used in all release phases
  • Third-party libraries checked for known vulnerabilities (CVE scanning)

5.2 Configuration Management

  • Environment-specific configuration control
  • Changes managed through versioned release branches
  • Monthly release cycle with hotfix capability for critical patches

5.3 Vulnerability & Patch Management

  • Critical vulnerabilities patched within 48 hours
  • Quarterly penetration testing and regular vulnerability scans
  • Reports reviewed by the senior engineering team and governance group

6. Continual Improvement & Team-Wide Involvement

6.1 Governance & Risk Management

  • Monthly internal security reviews with KPI tracking:
    • Patch lead time
    • Incident detection and resolution time
    • Backup success rate
  • Risk register maintained and aligned with ISO 27001 principles

6.2 Staff Security Awareness

  • Mandatory annual security training for all employees
  • Secure-by-design workshops involving engineering, support, and product teams
  • Defined process for internal reporting of suspicious behaviour or vulnerabilities

6.3 Formbird FLEET Professional Community

Formbird hosts a bi-monthly meet-up with customers, including security topics and roadmap previews. User feedback is often incorporated into security planning — ensuring the platform evolves in alignment with user needs and real-world risk.

7. Incident Management & Monitoring

7.1 Incident Response Plan (IRP)

  • Clearly defined roles for incident escalation and communication
  • RCA (Root Cause Analysis) conducted and logged for all major incidents
  • Optional client notifications provided for incidents affecting availability or data

7.2 System Monitoring & Alerting

  • 24/7 infrastructure monitoring via automated tools
  • Real-time alerting on performance anomalies, access violations, and system failures
  • Logging centralised and retained for at least 12 months for audit purposes

8. Compliance, Auditability & Customer Assurance

8.1 Compliance Standards Alignment

  • Australian Privacy Principles (APPs)
  • ISO 27001-aligned operational practices
  • IPWEA-aligned fleet compliance (Formbird FLEET)

8.2 Customer Responsibilities & Shared Model

  • Customers manage user provisioning and device security within their organisations
  • Formbird manages infrastructure, platform security, and data availability

8.3 Audit Trail & Traceability

  • Every key interaction (user login, booking, update) is logged and time-stamped
  • Audit logs accessible to authorised admins or for compliance review

9. Review Cycle & Policy Maintenance

  • This policy is reviewed every six months or after any material change in:
    • Infrastructure (e.g., new hosting location)
    • Compliance environment (e.g., regulatory update)
    • Service delivery (e.g., new product offering or architecture upgrade)
  • Policy versioning and change control are documented to ensure traceability.

10. Conclusion

The Formbird Platform is engineered for secure, scalable, and sustainable operations. Our commitment to security goes beyond technical safeguards—it is embedded into our organisational culture, our infrastructure decisions, and our engagement with the community. The use of world-class facilities like Equinix ME1, combined with a governance model that invites team and customer participation, ensures that Formbird remains a trustworthy partner for your most critical fleet and operational data.