Frequently asked questions about our API for Data Migration.

Answers to our most commonly asked questions.

1. General product questions

What does Affix do?

With the Affix API, HR & Payroll companies can enable new customers to migrate data from their former HR or Payroll system in a matter of seconds, via API. Affix is a vertically-integrated API into dozens of HR & Payroll systems, allowing your team to integrate once and have all your data migration and transformation issues handled.

What is a vertically-integrated API?

A vertically-integrated API is an API that is built completely by Affix, rather than by using the public APIs of the underlying HR/Payroll systems. Unlike traditional Unified APIs or API aggregators, such as Merge and Kombo, which aggregate the publicly-provided APIs of the underlying systems, a vertically-integrated API, such as Affix, builds its own API into these underlying systems – whether these systems have a public API or not. This enables unfettered access to systems, endpoints, and use cases that aren’t available via the public API— such as new customer data migration.

How easy is it to extract the data from another system during onboarding?

Easy. Watch here:

Is this for the employer side, or employee side?

Affix is for employer side integrations. Anything an HR or Payroll admin can see in their cloud software, is data that can be migrated into their new system via our API, with as much or as little data shared as desired (i.e. custom scopes).

Do you rely on the public API from the underlying HR/Payroll system?

No. Any cloud system, even if it doesn’t have a publicly available API, still has an API that connects the systems’ back-end to its front-end. Affix uncovers this internal API, and integrates directly into it, rather than using the API of the underlying provider. Our engineers have deep experience in this space, and there is no quick way for a company to block it. The result is you can use this API to migrate data for new customers without doing so in a manual, costly, process.

Which systems do you provide access to?

We can provide access to any cloud system. We have 20+ integrations so far, across HR and Payroll, and can add a new integration for any cloud system typically within 24 hours of getting access to an account. If you have a customer migrating from a system that we don't have an integration with yet, we'd enter them into our Forerunner program. We'd hop on a call with them, get the information we need, and within 24 hours be able to have a read integration for them and any other customers migrating from that system.

How quickly can you add a new integration?

If there is a system you need an integration for, let us know and we can add it within 24 hours of getting access to an account. If the system has a self-sign up flow, we can add it immediately. If not, we have our Forerunner Program in which we engage directly with a customer of yours who is asking for the integration. We custom build the integration for them at no additional cost, and can typically provide the integration across your entire client base (and ours) just 24 hours after that one call with the Forerunner participant.

What data are we able to migrate?

If the HR/Payroll admin can see data on their dashboard, it’s data we can provide an endpoint for.

Whether it's payslip data, time off data, tax ID, bank account details, or deductions, your users can migrate it, in just a few seconds.
‍
Our live endpoints can be found in our docs: https://docs.affixapi.com/. If there’s an endpoint you need, let us know, and we can add it. We add new endpoints as our customers request them.

What's the business case for Affix?

Affix can significantly reduce costs of implementation, while also making it easier to acquire customers.

Two of the main inhibitors of switching HR or payroll providers are the uncertainty about the ROI and business disruption caused by such a migration.
‍
By making it easier to migrate, it's easier for a customer to switch to your software. So not only does Affix significantly reduce the cost of onboarding, it also should increase the velocity of deals.

How quickly can you add new API endpoints from HR/Payroll providers?

We can add new endpoints in just a few hours.

What does the experience look like on mobile devices? Is your experience fully responsive?

Yes! The Affix UI is fully responsive, so integrations via mobile or web are clean, easy, and intuitive.

Can you provide a localised version of your UI?

Yes. Let us know which language you need, and we can provide it.

What does our customer have to do?

Affix is designed to be extremely intuitive. Your customers will click a button in your dashboard that links to the Affix connect flow. Affix will ask them to enter their credentials for their payroll or HRIS. They connect once, providing long-lived access. This will take them less than 20 seconds. You can see it in action here.

Would our competitor know that one of their customers ported their data out and into our system via Affix?

Nope. To your competitor, it’ll simply look like the user had logged in. Your customer can port their data out of their system and into yours in under 30 seconds, and your competitor will be none-the-wiser.

What would the customer experience look like ?

In your onboarding flow, your new customer would click a button to migrate their data, and the Affix modal would pop up. The user would be prompted to select their system, enter their credentials, and provide consent to you to use Affix to migrate their data. Affix would then pull their data into your system in less than 30 seconds.

How many integrations do we have to build?

Just one, with us. You integrate with Affix once, and you’ll have integrations with dozens of other payroll and HRIS out of the box. Any integration you need that Affix doesn’t have, we build it for you. When compared to negotiating integrations with the provider themselves, and the labor cost of spending weeks integrating, the time difference is massive.

We're already using another integrations provider, but still have some gaps. Would there be any challenge using both them and Affix?

Nope. Our endpoints match the standard in the industry, to allow for Affix to be used easily, right alongside other providers who you may be using at the moment.

If this speeds up onboarding, will this take away from my work?

As we’re sure you’re aware, there is always more work to be done. By making it easier to acquire customers, your company generates more revenue, and will have more resources to build more exciting products. Do you want to be handling CSV imports constantly, or do you want to be freed up to be working on delighting customers?

2. Engineering questions

Does Affix have webhooks?

Yes! Affix has webhooks. Affix is purpose built by developers, for developers.

How long does integrating with Affix take?

Adding Affix is easy. If you have a developer that is familiar with Oath, they should be able to add it in an hour or so. If you already use OAuth integrations, such as Plaid, it’s very easy to integrate Affix, as there are familiar paths to follow.

It's on your team to know where you'll migrate the data to in your product. This may take a little longer, maybe a couple weeks, depending on your system and how clear your product team is on where the data is going.

We have a sandbox token publicly on our docs that your engineers can start using and integrating right now: https://docs.affixapi.com/#topic-sandbox-keys-developer-mode

‍We also have SDKs in whichever language you use for your back end. For the front end, we have a drop-in React library– you just add it to your dependency, which gives you a button to allow users to connect their HR/Payroll system. We also have an html snippet you can add to your page.

In addition to our sandbox, we also have a pre-production environment, as well as a starter kit to provide code examples.

We provide all the resources to make adding Affix easy.

Do you have demo and staging environments?

Yes! We have both a development environment (also referred to as pre-prod or staging environment) and a production environment, as well as a sandbox. Additionally we have demo accounts for several systems which you can test.

How do you handle data permissions during the integration process?

The JSON Web Token (JWT) we issue has the scopes that our customer authorised. Our Authoriser service validates that 1 ) the JWT is correctly signed and 2) the JWTs contain the scopes to authorise the endpoint.

Can we do a data quality check?

Yes! Use your own account to test our system or use one of our demo accounts. You can also use our sandbox.

Do you track uptime?

Yes. Our uptime is between 99% - 100% for the past three months, depending on the specific service. You can follow it here: https://status.affixapi.com/

How can we trigger events that would normally be triggered from your side in production?

You call our API. When you make a call to us, that turns into a live request to the provider. There is no “data sync/synchronisation process,” like other unified APIs. However, we do have webhooks. In this case, you don’t need to call our API for changes – we’ll let you know when something’s been changed.

How frequently can we get data?

You can get data back at any interval you’d like, and even in real-time. Our system is designed differently from other API aggregators’ like Merge and Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time, or you can enable webhooks and we can let you know when something’s been changed. We can update you at any interval or in real-time.

3. Commercial Questions

Do you charge based on API call?

No.

What do the commercials look like?

For migrations, we charge per migration, with the first 5 migrations free. After the first 5, we have a monthly minimum. We provide proof of concepts as well to get started, risk free.

4. Questions on security

Does Affix sell data?

No.

Does Affix store data?

We view data as a liability, and as such we store as little data as possible. We don’t store any employment data beyond a temporary cache with TTL set for the purpose of satisfying developer’s API requests with as little latency as possible, deleting the cache automatically within just two hours. The only information from end users that we store longer term is usernames and passwords for long-lived access. This data is encrypted via an AWS KMS symmetric key with key rotation enabled, and stored (ciphertext only) in an AWS DynamoDB table (encrypted at rest). Affix’s database, AWS DynamoDB, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Our encryption key, a Customer Managed Key behind AWS KMS, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Traffic between you or customers and the Affix API is encrypted in-transit with TLS. If you’re interested in learning more, you can read our privacy policy for our end user here, and our privacy policy for our customers here.

When compared with current alternatives to transfer this data, such as via CSV, it’s clear that Affix is the most secure solution out there. You can read more about Affix’s security here.

How is the network communication secured, both in terms of confidentiality and integrity?

All endpoints between you and Affix are secured by TLS 1.2 encryption. The client data endpoints are additionally secured by passing a Bearer Token in the Authorization header. The bearer token is a JWT (Jason Web Token) which is cryptographically secure and is never stored by Affix. Additionally, Affix strips the JWT signature from the logs, so we can never replay your request.

Your management endpoints are secured by passing a Basic base64-encoding of the client_id:client_secret in the Authorization header.

TLDR: you and only you get a secret key into your customer’s system and only you can use that key; not even Affix gets this. Our company principle is that we view data as a liability and want nothing to do with it. Your customer’s data is between you and your customer only.

How do you protect HTTP endpoints exposed publicly?

We use AWS Web Application Firewall (WAF) and rate limiting to protect HTTP endpoints.

How do you store and protect production secrets?

We don’t store JWTs. Our DynamoDB table which holds credentials/API keys is encrypted at rest, and the actual field that stores credentials/API keys is additionally encrypted by an asymmetric AWS KMS key with key rotation enabled. We don’t have access to the key itself.

You can read more about our architecture and our approach towards data security here: https://affixapi.com/security

How would authentication and the disconnect flow work, in case of errors during the authentication process or expired tokens?

We have a disconnect endpoint. This will wipe all the data in the token.

What is the frequency of your data synchronisation process?

Our system is designed differently from API aggregators’ like Merge/Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time. When you make a call to us, that turns into a live request to the provider.

We also have webhooks - in which case we will let you know when something’s been changed, rather than you calling our endpoints. How this works is we configure JWTs to run at a certain interval, store data in a temporary cache (with TTL set); detect if there’s been a diff, and then send you the diff’d records. That interval can be 1 hour, 6 hours, 12 hours, once a day, or any other interval you’d like.

Is Affix ISO27001 compliant?

Yes. Affix is ISO27001 compliant, and we’re currently undergoing our ISO ISO27001 audit to receive our certification, which should be by February 10, 2024 at the latest.

5. Questions on Legal & Compliance

Is Affix GDPR compliant?

Yes. Affix when it comes to end user data, Affix is a data processor, and does not send data outside of EU/GDPR adequate countries. For data collected in standard interactions with us when you engage with us via sales, marketing, and and in other situations, we are a data controller, and we are also GDPR complaint. We have Date Processing Addendums in place with all our sub-processors. You can read our own DPA here and see our list of sub-processors here. We follow stringent data security practices internally. To learn more about how we handle data and privacy, you can read our Developer Privacy Policy, or our End User Privacy Policy. You can find our Data Breach Policy here We are in the midst of publishing our trust center, but if you need to see any of our other internal policies, please contact us and we can provide them immediately.
‍

Is there any precedence for using the internal API, rather than the public API?

Yes. Before Open Banking was established, Plaid ($700m+ in venture funding, customers include Wise, Revolut, Venmo, and Chime) accessed banks’ internal APIs to create a single API into all of banking, facilitating the takeoff of the fintech industry. Affix is using a similar method to provide its vertically integrated API for HR/Payroll systems.

Is using the internal API legal in the US, UK, and EU?

Yes, absolutely! Affix uses the same method of integrating that Plaid employs, which is used by companies like Revolut, Wayflyer, Cleo, and Wise in the UK and the EU, and almost every fintech in the United States.

Does Affix infringe on copyright laws?

No. Affix does not scrape copyrighted data like photographs or text paragraphs for reproduction. The data collected by Affix wouldn't be subject to copyright as it doesn't meet the standard of originality, creativity, and authorship.

What about database rights infringement?

Affix doesn't infringe on database rights, because the data is factual or non-original.

Would there be any risk to a user of the HR/Payroll provider for using Affix?

No. Affix operates as an intermediary between the end user, the HR/payroll providers, and our customer. Any action taken by an HR/Payroll system would be against Affix, not its customers, and would be about a policy violation, rather than a legal one.

What happens if a payroll provider learns of Affix?

Affix is designed to avoid detection in the first place. From our experience, if the providers notice the activity, the most aggressive action they take is to increase the technical challenges Affix needs to make in order to access the data, such as bot challenges, or attempting to ban IP ranges of Affix’s servers. Between the resources needed to do so, and the risk of churning their customers, the payroll providers are not too likely to, let alone discover it’s happening to begin with. However, even if they were to, that’s something Affix is experienced with and would be able to overcome in short-order.

In summary, is it safe for a customer to use Affix?

Yes, Affix is GDPR compliant, does not violate copyright or trademark rights, and is built with security at the forefront of design decisions. While the areas of law are complex, Affix has barristers registered in England, Wales, and Ireland on its advisory council, is in good legal standing, and operates with due diligence.

Does Affix have insurance?

Yes– Affix has public indemnity insurance, cyber insurance, directors and officers insurance, and employer liability insurance as well.

This is a key business function for us. Is there a risk of being too reliant on Affix?

At Affix, our success is directly aligned with our customers. As such, we believe in fair and transparent terms. For any partnership we enter, we establish mutual agreements on pricing that provide protections from unfair price hikes, providing for long-term, mutually beneficial partnerships.

6. Summary

What's the TLDR?

Affix is designed from the ground up by an engineer to be the API that an engineer would want to use. It makes data migrations easy. It's intuitive, it just works, and it gives you everything you could need such as canaries, industry standard endpoints, and webhooks.

And, it's secure and compliant. Affix is serverless and doesn't store sensitive employment data. If you enable webhooks, there's a brief cache, but it's heavily encrypted. We are GDPR compliant, and ISO 27001 certified.

Lastly we provide free, no-risk trials. No set up fee. No fee per API call. With pricing that fits your business.‍

How soon can we have access to it?

Affix is live now. Claim your place for onboarding by booking a discovery call with our team below.

Get in touch