Security
Effective: 1 September 2025
1. Our Commitment
At Faaro, security is foundational to everything we build. Our workforce technology integration platform connects critical HR, rostering, time tracking, and payroll systems for our customers. We understand that this data is highly sensitive and that our customers trust us to protect it with the highest standards of care.
This page provides an overview of our security practices, compliance posture, and the measures we take to protect your data. If you have security questions or need additional detail for a vendor assessment, please contact us at security@faaroglobal.com.
2. Compliance and Certifications
We are committed to meeting and exceeding industry security standards:
SOC 2 Type II — In Progress
ISO 27001 — Planned 2026
- SOC 2 Type II: We are actively working toward SOC 2 Type II certification, covering the Trust Services Criteria of Security, Availability, and Confidentiality. Our programme includes policy development, control implementation, and evidence collection.
- ISO 27001: We have planned our ISO 27001 certification programme for 2026, building on our existing Information Security Management System (ISMS) framework.
- Annual penetration testing: We engage independent, qualified third-party security firms to conduct annual penetration tests of our platform, infrastructure, and APIs. Findings are triaged and remediated based on severity.
- Australian Privacy Principles (APPs): We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. See our Privacy Policy for details.
3. Privacy and Data Processing
- Data Processing Agreement (DPA): We provide a comprehensive DPA to all customers that outlines our obligations as a data processor, including data handling, sub-processor management, breach notification, and data deletion procedures.
- Data usage framework: Customer data is only used to provide and improve the Services as agreed in the customer's service agreement. We do not use customer workforce data for advertising, profiling, or any purpose unrelated to service delivery.
- Sub-processor management: We maintain a list of sub-processors and notify customers of changes. All sub-processors are bound by data processing agreements with security requirements equivalent to our own.
4. Product Security Features
Our platform includes comprehensive security features designed to protect customer data at every layer:
🔒
Authentication
Single Sign-On (SSO) via SAML 2.0 and OIDC. Multi-factor authentication (MFA) support. OAuth 2.0 for API integrations. Session management with configurable timeouts. Account lockout after failed attempts.
🛡
Authorization
Role-based access control (RBAC) with granular permissions. Tenant isolation ensures complete data separation. Space-level access controls for organisational units. Least-privilege principle enforced across all services.
📋
Auditing
Comprehensive audit logging of all data access and modifications. Immutable audit trail with tamper-evident design. Evidence chain for compliance verification. Exportable audit reports for external review.
🌐
API Security
All API communications encrypted with TLS 1.2 or higher. API key management with rotation support. Rate limiting and throttling to prevent abuse. Input validation and output encoding on all endpoints.
5. Infrastructure Security
Our platform is hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2), providing enterprise-grade infrastructure security:
- AWS Sydney (ap-southeast-2): Primary data storage and processing occurs in the AWS Sydney region, ensuring data residency within Australia
- Virtual Private Cloud (VPC): All services operate within isolated VPCs with strict network segmentation. Private subnets are used for databases and internal services.
- Web Application Firewall (WAF): AWS WAF protects against common web exploits including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats
- DDoS protection: AWS Shield provides always-on DDoS protection
- Network monitoring: VPC Flow Logs and security group analysis for continuous network monitoring
- Infrastructure as Code: All infrastructure is defined and managed through code, ensuring consistent, auditable, and repeatable deployments
6. Application Security
We integrate security throughout our software development lifecycle:
- SAST (Static Application Security Testing): Automated static analysis of source code during development and CI/CD pipelines to identify vulnerabilities before deployment
- DAST (Dynamic Application Security Testing): Regular dynamic testing of running applications to identify runtime vulnerabilities and misconfigurations
- SCA (Software Composition Analysis): Continuous monitoring of third-party dependencies for known vulnerabilities, with automated alerts and remediation workflows
- Secure development practices: Code reviews, security-focused design reviews, and developer security training
- Vulnerability management: Documented vulnerability management process with SLAs for remediation based on severity (Critical: 24h, High: 7 days, Medium: 30 days, Low: 90 days)
7. Encryption
🔀
Encryption in Transit
All data transmitted between clients and our Services is encrypted using TLS 1.2 or higher. We enforce HTTPS for all web traffic. API communications use TLS with strong cipher suites. Internal service-to-service communication is encrypted.
💾
Encryption at Rest
All stored data is encrypted using AES-256 encryption. Database encryption is enabled at the storage layer. Backups are encrypted using the same standards. Encryption keys are managed through AWS KMS with automatic rotation.
8. Identity and Access Management
We implement strict identity and access management controls across our organisation and platform:
- Employee access: All Faaro employees use SSO with MFA for access to internal systems. Access is granted on a least-privilege basis and reviewed quarterly.
- Production access: Access to production systems is restricted to authorised personnel only, with all access logged and auditable. Just-in-time access is used for elevated privileges.
- Customer data access: Faaro personnel do not access customer data unless explicitly authorised by the customer for support purposes. All support access is logged.
- Offboarding: Employee access is revoked within 24 hours of termination. Automated processes ensure complete access removal across all systems.
9. Business Continuity
We maintain business continuity and disaster recovery capabilities to ensure service availability:
- Recovery Time Objective (RTO): 24 hours — Maximum targeted time to restore service after a major disruption
- Recovery Point Objective (RPO): 4 hours — Maximum targeted data loss window in the event of a disaster
- Automated backups: Database backups are performed continuously with point-in-time recovery capability
- Geographic redundancy: Backup data is replicated to a secondary AWS region for disaster recovery
- Disaster recovery testing: Recovery procedures are tested regularly to validate RTO/RPO targets
- Incident communication: We maintain a status page and will proactively communicate service disruptions to affected customers
10. Incident Response
We maintain a documented incident response plan that is reviewed and tested regularly:
- Detection: Automated monitoring and alerting for security events across infrastructure and application layers
- Triage: Incidents are classified by severity and assigned to the appropriate response team
- Containment: Immediate steps to contain the incident and prevent further impact
- Investigation: Thorough investigation to determine root cause, scope, and impact
- Notification: Affected customers are notified in accordance with contractual obligations and applicable law (including the Notifiable Data Breaches scheme under the Privacy Act 1988)
- Remediation: Root cause remediation and implementation of preventive measures
- Post-incident review: Blameless post-mortem review with documented lessons learned
To report a security incident or vulnerability, contact security@faaroglobal.com.
11. Third-Party Services
We carefully evaluate and monitor all third-party services integrated into our platform:
- Vendor assessment: All third-party vendors undergo a security assessment before onboarding, including review of their security certifications, practices, and data handling procedures
- Ongoing monitoring: We continuously monitor the security posture of our vendors and review their certifications and audit reports annually
- Contractual protections: All vendors are bound by contractual security and data protection obligations
- Integration security: Third-party workforce system integrations are implemented with secure API connections, encrypted credentials, and minimal data exposure (only the data required for the configured integration is transmitted)
12. AI/ML Transparency
Where our platform uses artificial intelligence or machine learning capabilities:
- Purpose limitation: AI/ML features are used solely to improve workforce integration accuracy, compliance detection, and platform usability. They are not used for employment decisions.
- Data handling: Customer data used for AI/ML features is processed in accordance with our Privacy Policy and the customer's service agreement. Customer data is not used to train models for other customers.
- Human oversight: All AI/ML outputs that affect compliance decisions or data classification are subject to human review. Automated suggestions can be accepted, modified, or rejected by authorised users.
- Transparency: We are transparent about where AI/ML is used in our platform and provide documentation on how these features work.
13. Shared Responsibility
Security is a shared responsibility between Faaro and our customers. While we are responsible for the security of our platform and infrastructure, customers share responsibility for:
- Account security: Using strong passwords, enabling MFA, and managing user access within their organisation
- Access management: Configuring appropriate roles and permissions for their users and promptly revoking access when no longer needed
- Data classification: Ensuring that data provided to the platform is appropriately classified and that sensitive data is handled according to their internal policies
- Integration credentials: Securing API keys, tokens, and credentials used for third-party workforce system integrations
- Incident reporting: Promptly reporting any suspected security incidents or vulnerabilities to security@faaroglobal.com
- Compliance: Ensuring their use of the platform complies with applicable laws and regulations in their jurisdiction
Contact Our Security Team
We welcome security inquiries, vendor assessment requests, and responsible vulnerability disclosures.