Home / Trust / Security

Security disclosures.

Cryptography, authentication, authorisation, infrastructure, monitoring, incident response, and vulnerability disclosure. No marketing. No badges we have not earned.

Cryptography

All customer data is encrypted at rest using AES-256. All data in transit is encrypted using TLS 1.3. Customer-managed keys (CMK) are available on the Enterprise tier; customers supply their own AWS KMS key and Fydis never holds the plaintext key material.

Authentication

Single sign-on via SAML 2.0 is available on Firm and Enterprise tiers. Supported identity providers include Okta, Azure AD, and Google Workspace. Passkey login is the default for direct accounts. SCIM provisioning supports automated user lifecycle management. Multi-factor authentication is enforced for all human accounts with no admin bypass.

Authorisation

Role-based access control ships with three default roles:

  • Reviewer. Read access to outputs and evidence chains; cannot approve or publish.
  • Approver. Read and sign-off access; cannot modify platform configuration.
  • Admin. Full access including user management, policy configuration, and LLM routing.

Custom roles are available on Enterprise. Every read and write action is logged with actor identity, timestamp, and the policy version in effect at the time of the action. Logs are immutable and exportable.

Infrastructure

The Fydis application runs in AWS ap-southeast-2 (Sydney). AU customer data stays in a single region by default; no cross-region replication without explicit customer consent. No third-party CDN holds customer data. The marketing site runs on Vercel; the application and all customer data run on AWS in Australia. Production and staging are separate environments. Access to production infrastructure requires a named human approver and is logged.

Monitoring

Application errors are captured by Sentry, configured to the EU region. Customer payload data is scrubbed before transmission to Sentry; error reports contain stack traces and metadata only. Internal uptime monitoring runs at 60-second intervals. Anomalous API call rates and failed authentication attempts trigger automated alerts to the on-call engineer within five minutes.

Incident response

Fydis commits to a 24-hour initial notification for confirmed data breaches, per the Privacy Act Notifiable Data Breaches scheme. Incident classification follows APRA CPS 234 severity tiers. Post-incident reports are published to affected customers within 14 days of incident closure. The full incident response plan, escalation paths, and notification SLAs are documented at trust/incident-response.

Vulnerability disclosure

Send vulnerability reports to hello@abrlabs.io. Receipt acknowledged within one business day. A timeline provided within five business days. A formal vulnerability disclosure policy with safe-harbour language and a PGP key for encrypted reports will publish in Q3 2026. Until then, the above address is the intake point and the same safe-harbour intent applies.

Ready to walk the controls in your environment?

30 minutes. We bring this disclosure mapped to your security questionnaire (CAIQ, SIG Lite) and show the same controls running on a workspace built from your declared systems.

Questions? Email hello@abrlabs.io. For DPA or procurement questions, include “DPA” in the subject line.