Security policy.
A public summary of how ABR Labs Pty Ltd (ABN 36 693 095 911) protects Customer Data. The full technical disclosure is at /trust/security.
Encryption
All Customer Data stored on ABR Labs infrastructure is encrypted at rest using AES-256. All data transmitted between customers and the Fydis platform is protected by TLS 1.3. Customers on the Enterprise tier may provide their own encryption keys (customer-managed keys, CMK) via AWS KMS.
Data residency
Customer Data for Australian customers is stored exclusively in AWS ap-southeast-2 (Sydney, Australia). Data does not leave this region except where a customer has explicitly configured a cross-region integration. The Fydis marketing website uses Vercel's CDN; application data does not pass through that CDN.
Access control
Access to the Fydis platform is managed through role-based access control (RBAC). Three default roles are available: Reviewer, Approver, and Admin. Custom roles are available on Firm and Enterprise tiers.
- Multi-factor authentication (MFA) is enforced for all human accounts accessing production systems.
- Single sign-on (SSO) via SAML 2.0 is available on Firm and Enterprise tiers, with support for Okta, Azure AD, and Google Workspace.
- SCIM provisioning is supported for automated user lifecycle management.
- Every read and write operation is logged with the actor identity, timestamp, and relevant policy version.
- ABR Labs personnel follow a least-privilege principle. Production access is granted on a need-to-know basis and is reviewed quarterly.
Incident notification
ABR Labs commits to notifying affected customers within 24 hours of becoming aware of a security incident that involves unauthorised access to or disclosure of Customer Data. This commitment is consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).
For customers in the financial services sector, incident classification follows the APRA CPS 234 framework. Post-incident reports are provided to affected customers within 14 days of the incident being resolved.
Vulnerability disclosure
ABR Labs operates a responsible disclosure programme. If you have identified a potential security vulnerability in Fydis or fydis.io, please report it to hello@abrlabs.io. We will acknowledge your report within two business days and provide a status update within five business days.
Safe harbour: ABR Labs will not pursue legal action against researchers who identify and report security vulnerabilities in good faith, provided they do not access or modify customer data beyond what is necessary to demonstrate the vulnerability, do not perform denial-of-service testing, and disclose the issue to ABR Labs before making it public.
Further detail
The full technical security disclosure, covering authentication architecture, infrastructure configuration, and third-party audit status, is published at fydis.io/trust/security. Customers on Firm and Enterprise tiers may request a copy of ABR Labs's most recent penetration test executive summary by contacting hello@abrlabs.io.
Last updated: 9 May 2026