SECURITY

Built for the world’s most regulated organisations.

TeamForm runs the most sensitive workforce data in banking, telco and retail. SOC 2 Type II, GDPR, dedicated tenancy with per-customer keys, and regional AWS hosting, independently audited and continuously monitored.

ATTESTATIONS● CONTINUOUSLY MONITORED
SOC 2 Type II
GDPR (EU/UK)
AWS Foundational Technical Review
AWS Qualified Software
Atlassian Cloud Fortified
reports, pen tests & subprocessors → trust.teamform.co
INFRASTRUCTURE

Isolated, encrypted, regionally hosted.

Regional AWS hosting

Run on AWS in Sydney, London and the US, with data residency you can pin to your region.

Dedicated, isolated tenancy

Each customer's data lives in its own isolated store, never pooled with anyone else's.

Encrypted at rest

A per-customer Customer Master Key, generated from FIPS 140-2 validated HSMs and rotated regularly.

Encrypted in transit

TLS everywhere, with a minimum 128-bit AES cipher: between you and the app, and between internal services.

ACCESS & IDENTITY

The right people, and only the right people.

Single sign-on

Bring your own identity provider over SAML, with SCIM to provision and de-provision through your directory.

Role-based access

Scope who sees and changes what, down to confidential workspaces for sensitive change.

Multi-factor authentication

TOTP multi-factor authentication, enforced across every account.

Least privilege

Only authorised, trained staff can reach production, via per-engineer certificates.

Access logging

All access and access attempts are logged.

DATA & PRIVACY

Your data stays yours.

You own your data

It stays inside your tenancy, and it's deleted when you leave the service.

GDPR & DPA

EU/UK GDPR compliant, with a Data Processing Addendum, a Record of Processing Activity and privacy training.

Classification & retention

Formal data-classification, retention and disposal procedures.

Published subprocessors

The full subprocessor list is public on our Trust Center. No surprises.

ASSURANCE & OPERATIONS

Independently proven, continuously watched.

SOC 2 Type II

Audited annually (the current report is dated December 2025). Request the report under NDA from our Trust Center.

Independent pen testing

Penetration tested at least annually, with findings remediated to defined SLAs.

Secure SDLC

A formal development lifecycle: changes documented, tested, reviewed and approved before production.

Continuity & monitoring

Business continuity and disaster-recovery plans, system monitoring and cyber-insurance cover.

Do your diligence.

Everything above is documented, audited and available on our Trust Center.