Frequently asked questions about our data migrations API for HR/Payroll.

Answers to our most commonly asked questions.
  1. Answers for implemententation teams.
  2. Engineering Questions
  3. Info Sec Questions
  4. Legal
  5. Summary

1. Answers for implementation teams.

What does Affix do? 
With Affix API, implementation teams at HR/Payroll companies can enable new customers to extract their data from their former HR or Payroll system in just a few seconds.
What problem(s) does Affix solve?
We solve the problems around data extraction and conversion in the implementation process.

Data migrations in HR/Payroll are typically done in one of three ways today: either the implementations team shares a workbook with the migrating customer for them to fill out, the customer extracts their reports and sends them to the implementations team to convert and validate, or the implementations team logs into the customers' former system to extract all historical data, before converting and validating the data themselves.

There's three core issues at play: 1) because it requires the end customer to do work, there can be implementation delays, leading to missed timelines, and even early churn; 2) because customers are coming from a variety of systems, implementation teams often need to build bespoke, unscalable processes to extract or (educate customers to extract) data from differently formatted systems, or reports, and then deal with data in different formats and structures; and 3) because the data shared can be incomplete, or inputted incorrectly, there can be tons of back and forth with the end customer, leading to lower NPS, and higher operational costs.
How does it work?
As you likely know, your customers' former provider doesn't want to make it easier for customers to churn, and as such likely doesn't provide access to their official API.

Instead of using the official API of the provider, Affix builds its own API into these systems, accessing the public but non-documented APIs that connect the systems frontend to the back end.

As a result, data extraction can now happen via API. Customers can simply extract their data in 4-clicks, by selecting their former provider and entering their username and password to their former system, in a Plaid-like interface. You get the data back in 30 seconds. Because it's effortless for customers, you no longer have implementation delays.

You get the data back in one standardized format, no matter where customers are coming from. We map the providers' data models to ours, so you only need to work off of the Affix data model. You can get the data back in a CSV. If you want to go further, you can bring in an engineer to add the Affix API, so your team receives the data in the customers' new account, automating the ETL process.

We enable you to get all the data you need, without the back and forth. We have expected values in our schema to ensure you only get the data you'd expect to receive, where you'd expect to see it. And, we can enable you to extract all the data you need. We have full access to these systems, so even if you don't see the data you need in our docs, we can add a new field or endpoint to provide access to it. This means no more back and forth, and slashed operational costs.

In summary: with Affix API, you get the data back in seconds, in a standardized format, accurately. Without delays and without the implementation costs.

How easy is it to extract the data from another system during onboarding? 
Easy. Watch here: 



Do you rely on the public API from the underlying HR/Payroll system? 
No. Any cloud system, even if it doesn’t have a publicly available API, still has an API that connects the systems’ back-end to its front-end. Affix uncovers this internal API, and integrates directly into it, rather than using the API of the underlying provider. Our engineers have deep experience in this space, and there is no quick way for a company to block it. The result is you can use this API to migrate data for new customers without doing so in a manual, costly, process.
Which systems do you provide access to? 
We can provide access to any cloud system. We have 20+ integrations so far, across HR and Payroll, and can add a new integration for any cloud system typically within 24 hours of getting access to an account. If you have a customer migrating from a system that we don't have an integration with yet, we'd enter them into our Forerunner program. We'd hop on a call with them, get the information we need, and within 24 hours be able to have a read integration for them and any other customers migrating from that system.
How quickly can you add a new integration?
If there is a system you need an integration for, let us know and we can add it within 24 hours of getting access to an account. If the system has a self-sign up flow, we can add it immediately. If not, we have our Forerunner Program in which we engage directly with a customer of yours who is asking for the integration. We custom build the integration for them at no additional cost, and can typically provide the integration across your entire client base (and ours) just 24 hours after that one call with the Forerunner participant.
What data are we able to migrate?  
If the HR/Payroll admin can see data on their dashboard, it’s data we can provide an endpoint for.

Whether it's payslip data, time off data, tax ID, bank account details, or deductions, your users can migrate it, in just a few seconds.

Our live endpoints can be found in our docs: https://docs.affixapi.com/. If there’s an endpoint you need, let us know, and we can add it. We add new endpoints as our customers request them.
What's the business case for Affix? 
Affix can significantly reduce costs of implementation, while also making it easier to acquire customers.

Two of the main inhibitors of switching HR or payroll providers are the uncertainty about the ROI and business disruption caused by such a migration.

By making it easier to migrate, it's easier for a customer to switch to your software. So not only does Affix significantly reduce the cost of onboarding, it also should increase the velocity of deals.
How quickly can you add new API endpoints from HR/Payroll providers?
We can add new endpoints in just a few hours.
What does the experience look like on mobile devices? Is your experience fully responsive?
Yes! The Affix UI is fully responsive, so integrations via mobile or web are clean, easy, and intuitive. 
Can you provide a localised version of your UI? 
Yes. Let us know which language you need, and we can provide it. 
What does our customer have to do?
Affix is designed to be extremely intuitive. Your customers will click a button in your dashboard that links to the Affix connect flow. Affix will ask them to enter their credentials for their payroll or HRIS. They connect once, providing long-lived access. This will take them less than 20 seconds. You can see it in action here.
Would our competitor know that one of their customers ported their data out and into our system via Affix? 
Nope. To your competitor, it’ll simply look like the user had logged in. Your customer can port their data out of their system and into yours in under 30 seconds, and your competitor will be none-the-wiser.
What would the customer experience look like ? 
In your onboarding flow, your new customer would click a button to migrate their data, and the Affix modal would pop up. The user would be prompted to select their system, enter their credentials, and provide consent to you to use Affix to migrate their data. Affix would then pull their data into your system in less than 30 seconds. 
How many integrations do we have to build?
Just one, with us. You integrate with Affix once, and you’ll have integrations with dozens of other payroll and HRIS out of the box. Any integration you need that Affix doesn’t have, we build it for you. When compared to negotiating integrations with the provider themselves, and the labor cost of spending weeks integrating, the time difference is massive.
We're already using another integrations provider, but still have some gaps. Would there be any challenge using both them and Affix?
Nope. Our endpoints match the standard in the industry, to allow for Affix to be used easily, right alongside other providers who you may be using at the moment.
If this speeds up onboarding, will this take away from my work? 
As we’re sure you’re aware, there is always more work to be done. By making it easier to acquire customers, your company generates more revenue, and will have more resources to build more exciting products. Do you want to be handling CSV imports constantly, or do you want to be freed up to be working on delighting customers?

2. Engineering questions

Does Affix have webhooks?
Yes! Affix has webhooks. Affix is purpose built by developers, for developers. 
How long does integrating with Affix take?
Adding Affix is easy. If you have a developer that is familiar with Oath, they should be able to add it in an hour or so. If you already use OAuth integrations, such as Plaid, it’s very easy to integrate Affix, as there are familiar paths to follow. 

It's on your team to know where you'll migrate the data to in your product. This may take a little longer, maybe a couple weeks, depending on your system and how clear your product team is on where the data is going.

We have a sandbox token publicly on our docs that your engineers can start using and integrating right now: https://docs.affixapi.com/#topic-sandbox-keys-developer-mode

We also have SDKs in whichever language you use for your back end. For the front end, we have a drop-in React library– you just add it to your dependency, which gives you a button to allow users to connect their HR/Payroll system. We also have an html snippet you can add to your page. 

In addition to our sandbox, we also have a pre-production environment, as well as a starter kit to provide code examples. 

We provide all the resources to make adding Affix easy.
Do you have demo and staging environments? 
Yes! We have both a development environment (also referred to as pre-prod or staging environment) and a production environment, as well as a sandbox. Additionally we have demo accounts for several systems which you can test.
How do you handle data permissions during the integration process?
The JSON Web Token (JWT) we issue has the scopes that our customer authorised. Our Authoriser service validates that 1 ) the JWT is correctly signed and 2) the JWTs contain the scopes to authorise the endpoint.
Can we do a data quality check?
Yes! Use your own account to test our system or use one of our demo accounts. You can also use our sandbox.
Do you track uptime?
Yes. Our uptime is between 99%  - 100% for the past three months, depending on the specific service. You can follow it here: https://status.affixapi.com/ 
How can we trigger events that would normally be triggered from your side in production?
You call our API. When you make a call to us, that turns into a live request to the provider. There is no “data sync/synchronisation process,” like other unified APIs. However, we do have webhooks. In this case, you don’t need to call our API for changes –  we’ll let you know when something’s been changed. 
How frequently can we get data? 
You can get data back at any interval you’d like, and even in real-time. Our system is designed differently from other API aggregators’ like Merge and Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time, or you can enable webhooks and we can let you know when something’s been changed. We can update you at any interval or in real-time.

3. Commercial Questions

Do you charge based on API call?
No.
What do the commercials look like?
For migrations, we charge per migration, with the first 5 migrations free. After the first 5, we have a monthly minimum. We provide proof of concepts as well to get started, risk free.

4. Questions on security

Does Affix sell data?
No.

Does Affix store data?
We view data as a liability, and as such we store as little data as possible. We don’t store any employment data beyond a temporary cache with TTL set for the purpose of satisfying developer’s API requests with as little latency as possible, deleting the cache automatically within just two hours. The only information from end users that we store longer term is usernames and passwords for long-lived access. This data is encrypted via an AWS KMS symmetric key with key rotation enabled, and stored (ciphertext only) in an AWS DynamoDB table (encrypted at rest). Affix’s database, AWS DynamoDB, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Our encryption key, a Customer Managed Key behind AWS KMS, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Traffic between you or customers and the Affix API is encrypted in-transit with TLS. If you’re interested in learning more, you can read our privacy policy for our end user here, and our privacy policy for our customers here

When compared with current alternatives to transfer this data, such as via CSV, it’s clear that Affix is the most secure solution out there. You can read more about Affix’s security here.
How is the network communication secured, both in terms of confidentiality and integrity?
All endpoints between you and Affix are secured by TLS 1.2 encryption. The client data endpoints are additionally secured by passing a Bearer Token in the Authorization header. The bearer token is a JWT (Jason Web Token) which is cryptographically secure and is never stored by Affix. Additionally, Affix strips the JWT signature from the logs, so we can never replay your request.  

Your management endpoints are secured by passing a Basic base64-encoding of the client_id:client_secret in the Authorization header.

TLDR: you and only you get a secret key into your customer’s system and only you can use that key; not even Affix gets this. Our company principle is that we view data as a liability and want nothing to do with it. Your customer’s data is between you and your customer only.
How do you protect HTTP endpoints exposed publicly? 
We use AWS Web Application Firewall (WAF) and rate limiting to protect HTTP endpoints.
How do you store and protect production secrets?
We don’t store JWTs. Our DynamoDB table which holds credentials/API keys is encrypted at rest, and the actual field that stores credentials/API keys is additionally encrypted by an asymmetric AWS KMS key with key rotation enabled. We don’t have access to the key itself.

You can read more about our architecture and our approach towards data security here: https://affixapi.com/security
How would authentication and the disconnect flow work, in case of errors during the authentication process or expired tokens? 
We have a disconnect endpoint. This will wipe all the data in the token.
What is the frequency of your data synchronisation process?
Our system is designed differently from API aggregators’ like Merge/Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time. When you make a call to us, that turns into a live request to the provider.

We also have webhooks - in which case we will let you know when something’s been changed, rather than you calling our endpoints. How this works is we configure JWTs to run at a certain interval, store data in a temporary cache (with TTL set); detect if there’s been a diff, and then send you the diff’d records. That interval can be 1 hour, 6 hours, 12 hours, once a day, or any other interval you’d like. 
Is Affix ISO27001 compliant? 
Yes. Affix is ISO27001 compliant, and we’re currently undergoing our ISO ISO27001 audit to receive our certification, which should be by February 10, 2024 at the latest.
5. Questions on Legal & Compliance
Is Affix GDPR compliant?
Yes. Affix when it comes to end user data, Affix is a data processor, and does not send data outside of EU/GDPR adequate countries. For data collected in standard interactions with us when you engage with us via sales, marketing, and and in other situations, we are a data controller, and we are also GDPR complaint. We have Date Processing Addendums in place with all our sub-processors. You can read our own DPA here and see our list of sub-processors here.  We follow stringent data security practices internally. To learn more about how we handle data and privacy, you can read our Developer Privacy Policy, or our End User Privacy Policy. You can find our Data Breach Policy here We are in the midst of publishing our trust center, but if you need to see any of our other internal policies, please contact us and we can provide them immediately.

Is there any precedence for using the internal API, rather than the public API?
Yes. Before Open Banking was established, Plaid ($700m+ in venture funding, customers include Wise, Revolut, Venmo, and Chime) accessed banks’ internal APIs to create a single API into all of banking, facilitating the takeoff of the fintech industry. Affix is using a similar method to provide its vertically integrated API for HR/Payroll systems.

Is using the internal API legal in the US, UK, and EU?
Yes, absolutely! Affix uses the same method of integrating that Plaid employs, which is used by companies like Revolut, Wayflyer, Cleo, and Wise in the UK and the EU, and almost every fintech in the United States.
Does Affix infringe on copyright laws?
No. Affix does not scrape copyrighted data like photographs or text paragraphs for reproduction. The data collected by Affix wouldn't be subject to copyright as it doesn't meet the standard of originality, creativity, and authorship.
What about database rights infringement?
Affix doesn't infringe on database rights, because the data is factual or non-original.

Would there be any risk to a user of the HR/Payroll provider for using Affix?
No. Affix operates as an intermediary between the end user, the HR/payroll providers, and our customer. Any action taken by an HR/Payroll system would be against Affix, not its customers, and would be about a policy violation, rather than a legal one.
What happens if a payroll provider learns of Affix? 
Affix is designed to avoid detection in the first place. From our experience, if the providers notice the activity, the most aggressive action they take is to increase the technical challenges Affix needs to make in order to access the data, such as bot challenges, or attempting to ban IP ranges of Affix’s servers.  Between the resources needed to do so, and the risk of churning their customers, the payroll providers are not too likely to, let alone discover it’s happening to begin with. However, even if they were to, that’s something Affix is experienced with and would be able to overcome in short-order.
In summary, is it safe for a customer to use Affix?
Yes, Affix is GDPR compliant, does not violate copyright or trademark rights, and is built with security at the forefront of design decisions. While the areas of law are complex, Affix has barristers registered in England, Wales, and Ireland on its advisory council, is in good legal standing, and operates with due diligence. 
Does Affix have insurance?
Yes– Affix has public indemnity insurance, cyber insurance, directors and officers insurance, and employer liability insurance as well. 
This is a key business function for us. Is there a risk of being too reliant on Affix?
At Affix, our success is directly aligned with our customers. As such, we believe in fair and transparent terms. For any partnership we enter, we establish mutual agreements on pricing that provide protections from unfair price hikes, providing for long-term, mutually beneficial partnerships.
6. Summary
What's the TLDR?
Affix is designed from the ground up by an engineer to be the API that an engineer would want to use. It makes data migrations easy. It's intuitive, it just works, and it gives you everything you could need such as canaries, industry standard endpoints, and webhooks.

And, it's secure and compliant. Affix is serverless and doesn't store sensitive employment data. If you enable webhooks, there's a brief cache, but it's heavily encrypted. We are GDPR compliant, and ISO 27001 certified.

Lastly we provide free, no-risk trials. No set up fee. No fee per API call. With pricing that fits your business.
How soon can we have access to it?
Affix is live now. Claim your place for onboarding by booking a discovery call with our team below.
Get in touch