Frequently asked questions

Answers to our most commonly asked questions.

1. General product questions

What does Affix do?

With Affix, companies can integrate with dozens of HR/Payroll systems via a vertically integrated API – with access to any system, endpoint, or use case. This allows customers to get access to the data they need to build innovative products, serve their customers in a seamless and secure way, and integrate with multiple providers with just one integration.

What is a vertically-integrated API?

A vertically integrated API is a single API into dozens of different systems. Unlike traditional Unified APIs or API aggregators, such as Merge and Kombo, which aggregate the publicly-provided APIs of the underlying systems, a vertically - integrated API, such as Affix, builds its own API into these underlying systems – whether these systems have a public API or not. This enables unfettered access to systems, endpoints, and use cases that aren’t available via the public API, and by virtue, are inaccessible to traditional Unified APIs.

How is it different from Merge or Kombo?

As explained above, Merge and Kombo, as Unified APIs, aggregate the APIs that HR/Payroll providers publish themselves. As a result, Unified APIs face three types of constraints, due to the limits imposed upon them by these underlying providers:

Many systems don't have a public API at all, due to a lack of resources or because of company strategy. If these systems don't have a public API, API aggregators like Merge and Kombo cannot provide access to them.
‍
HR/Payroll systems that have a public API often limit access to endpoints available, to maintain their status as the customers' primary platform of engagement; and
‍
HR/Payroll systems that have a public API often limit access to use cases that go against their strategic priorities such as:

— HR/payroll switching (because they don't want to facilitate the churn of customers),

— Writing into payroll, to ensure they don't dis-intermediate themselves; and

— Use cases by companies that would compete for revenue opportunities with them.

As a result of aggregating these underlying APIs, unified APIs like Merge and Kombo are inherently limited by these same constraints.

Affix, as a vertically integrated API, builds its own API into these systems, instead of simply aggregating the available APIs. As a result, Affix can provide unfettered access via API to:

any cloud system, even payroll systems that don't otherwise have an API;
‍
any endpoint, even if it's not exposed in a systems' public API; and
‍
any use case, including new customer data migration, writing into payroll, and products and services that compete with the underlying provider.

Is this for the employer side, or employee side?

Affix is an employer side integration. Anything an HR or Payroll admin can see in their cloud software, is data that can be sent via API, with as much or as little data shared as possible (i.e. custom scopes).

How does it work?

Affix is an OAuth 2.1 application that allows developers to access certain data collected from HR/payroll systems, without developers needing to manage integrations or collect login credentials from users for these third party systems. Affix uses both official and internal developer APIs from the providers themselves to collect data from certain third parties while that data is en-route to be displayed on web pages.

Do you rely on the public API from the underlying HR/Payroll system?

No. As discussed above, Any cloud system, even if it doesn’t have a publicly available API, still has an API that connects the systems’ back-end to its front-end. Affix uncovers this internal API, and integrates directly into it, rather than using the API of the underlying provider. That being said, if, for whatever reason, you’d like to use the standard underlying API, we also have an "official" mode that enables that.

Which systems do you provide access to?

We can provide access to any cloud system. We have 20+ integrations so far, which you can see in the nav bar of our website here.

How quickly can you add a new integration?

If there is a system you need an integration for, let us know and we can add it within 24 hours of getting access to an account. If the system has a self-sign up flow, we can add it immediately. If not, we have our Forerunner Program in which we engage directly with a customer of yours who is asking for the integration. We custom build the integration for them at no additional cost, and can typically provide the integration across your entire client base (and ours) just 24 hours after that one call with the Forerunner participant.
‍
We can add read integrations within 24 hours of getting access to an account, and write integrations for creating and updating employee data within a week of getting access to an account. Other write integrations can be accomodated but over a longer time frame and is on a case by case basis.

What data are we able to access, or build integrations with?

If the HR/Payroll admin can see data on their dashboard, it’s data we can provide an endpoint for. Affix is not constrained by the restrictions imposed by the HR/Payroll providers’ existing APIs.

For example– we can provide (and update) bank account numbers and details that no other Unified API can provide, because most HRIS companies don’t provide bank account numbers via API.

Our live endpoints can be found in our docs: https://docs.affixapi.com/. If there’s an endpoint you need, let us know, and we can add it. Not every system is the same, so we add new endpoints as our customers request them.

What are some use cases for Affix?

Affix is perfect for anyone from benefits companies looking to connect with their customers' systems, payroll providers looking to connect with their customers' HRIS and vice versa, EORs, and even HRIS or Payroll providers that want to support new customers in migrating their data from their old system into their new one.

Additionally, if you need integrations with systems that don't have a public API, need access to endpoints not provided over existing APIs, or have use cases not supported by existing APIs and API aggregators—don't worry, we can help.

How quickly can you integrate new API endpoints from HR/Payroll providers?

We can add new endpoints in just a few hours.

Can we write back into payroll systems, in addition to Read access?

Yes, though the timelines will differ depending on your use case. For new systems we haven’t added yet, we can add a read integration for it just under 24 hours of getting access to an account. Write use cases, such as creating and updating employee data, takes roughly one week from the moment we get access to the first account. Write use cases for deductions will take a few weeks, and payruns as well, but these use cases are on our roadmap today.

What does the experience look like on mobile devices? Is your experience fully responsive?

Yes! The Affix UI is fully responsive, so integrations via mobile or web are clean, easy, and intuitive.

Can you provide a localised version of your UI?

Yes. Let us know which language you need, and we can provide it.

What does our customer have to do?

Affix is designed to be extremely intuitive. Your customers will click a button in your dashboard that links to the Affix connect flow. Affix will ask them to enter their credentials for their payroll or HRIS. They connect once, providing long-lived access. This will take them less than 20 seconds. You can see it in action here.

We have potential customers who want to switch out of their former HR/Payroll system, and into ours. Can Affix help with this data migration?

Yes. When your potential customer has their entire company’s data backed up into one system, it can be pretty difficult to make them switch. Affix can make data migration easy, allowing new customers to port their data over from their old provider with a click of a button, and onboard into your product seamlessly.

This can significantly decrease time-to-value, and, depending on your industry – your competitors’ switching cost along with it.

Would our competitor know that one of their customers ported their data out and into our system via Affix?

Nope. To your competitor, it’ll simply look like the user had logged in. Your customer can port their data out of their system and into yours in under 30 seconds, and your competitor will be none-the-wiser.

What would the customer experience look like here?

The use case of HR/Payroll switching, or new customer data migration, would work just like our standard flow. In your onboarding flow, your new customer would click a button to migrate their data, select their system, enter their credentials, and Affix would pull their data into your system in less than 30 seconds.

We currently use another unified API for HRIS, but it doesn’t give us all the data we want from our customers’ systems. Can Affix unlock that data for us?

Yes. Even when platforms do have public APIs, they’re often limited in the data that’s available. Affix builds our own API into these systems to provide you access to data not otherwise available. If the HR/Admin can see the data in their dashboard, we can create an endpoint for it.

We're already using another integrations provider, but still have some gaps. Would there be any challenge using both them and Affix?

Nope. Our endpoints match the standard in the industry, to allow for Affix to be used easily, right alongside other providers who you may be using at the moment.

How many integrations do we have to build?

Just one, with us. You integrate with Affix once, and you’ll have integrations with dozens of other payroll and HRIS out of the box. Any integration you need that Affix doesn’t have, we build it for you. When compared to negotiating integrations with the provider themselves, and the labor cost of spending weeks integrating, the time difference is massive.

We're already using another integrations provider, but still have some gaps. Would there be any challenge using both them and Affix?

Nope. Our endpoints match the standard in the industry, to allow for Affix to be used easily, right alongside other providers who you may be using at the moment.

2. Engineering questions

Does Affix have webhooks?

Yes! Affix has webhooks. Affix is purpose built by developers, for developers.

As an engineer, won’t this take away from my work?

As we’re sure you’re aware, there is always more work to be done. Without needing to build out dozens of integrations, your company can make more money, and have more resources to build more exciting products. Do you want to be building and monitoring integrations, or do you want to work on core projects that solve customer problems?

How long does integrating with Affix take?

Integrating Affix is easy. If you have a developer that is familiar with Oath, they should be able to add it in an hour or so. If you already use OAuth integrations, such as Plaid, it’s very easy to integrate Affix, as there are familiar paths to follow.

It's on your team to know how you'll use the data to enhance your product. This may take a little longer, maybe a few days to a week, depending on your system and how clear your product team is on where the data is going.

We have a sandbox token publicly on our docs that your engineers can start using and integrating right now: https://docs.affixapi.com/#topic-sandbox-keys-developer-mode

‍We also have SDKs in whichever language you use for your back end. For the front end, we have a drop-in React library– you just add it to your dependency, which gives you a button to allow users to connect their HR/Payroll system. We also have an html snippet you can add to your page.

In addition to our sandbox, we also have a pre-production environment, as well as a starter kit to provide code examples.

We provide all the resources to make integrating Affix easy.

Do you have demo and staging environments?

Yes! We have both a development environment (also referred to as pre-prod or staging environment) and a production environment, as well as a sandbox. Additionally we have demo accounts for several systems which you can test.

How do you handle data permissions during the integration process?

The JSON Web Token (JWT) we issue has the scopes that our customer authorised. Our Authoriser service validates that 1 ) the JWT is correctly signed and 2) the JWTs contain the scopes to authorise the endpoint.

Can we do a data quality check?

Yes! Use your own account to test our system or use one of our demo accounts. You can also use our sandbox.

Do you track uptime?

Yes. Our uptime is between 99% - 100% for the past three months, depending on the specific service. You can follow it here: https://status.affixapi.com/

Can we create objects in the Sandbox?

For the sandbox, you can make POST requests and get the data you passed back in. Other than that, the sandbox data is not stored. We use a seed, so the data stays consistent across calls, but you cannot modify it and later retrieve it.

We can provide you with a demo account to certain providers (Sage, Humaans, Staffology, etc) which will store state (your created and modified objects). You can create and modify these in demo accounts of live providers, as you wish.

Additionally, feel free to bring an account on whichever system we support - that can be your sandbox, and you don’t even have to let us know

How can we trigger events that would normally be triggered from your side in production?

You call our API. When you make a call to us, that turns into a live request to the provider. There is no “data sync/synchronisation process,” like other unified APIs. However, we do have webhooks. In this case, you don’t need to call our API for changes – we’ll let you know when something’s been changed.

How frequently can we get data?

You can get data back at any interval you’d like, and even in real-time. Our system is designed differently from other API aggregators’ like Merge and Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time, or you can enable webhooks and we can let you know when something’s been changed. We can update you at any interval or in real-time.

We want to move from monthly updates of data to real time updates. Can Affix help here?

Yes. With Affix you can build products and features that require real-time data. You can even be alerted via webhooks when a change in a system is made.

3. Commercial Questions

Do you charge based on API call?

No. We charge based on employer (token) connection per month. You can call our API as much as you need.

What is the financial case for Affix?

You can think of Affix in two buckets: preventing costs, and increasing potential revenue.

First, the costs: If you were to build integrations yourself, without a third party like Affix, you may have to spend months negotiating integrations with the HR/Payroll provider. You’ll then spend weeks of valuable developer hours, just on a single integration. That integration will likely have some issues, so you’ll also spend hours maintaining it every month as well. If you don’t build integrations, and simply go with CSVs full of data, you're spending valuable time ingesting and uploading this data into your system. Not to mention the security risk of sending data over CSV, or the costs of errors from data entry…After all that, you may not have access to all the data you might want, because the underlying provider limits access to it.

Secondly, on revenue: Oftentimes, integrations are a key reason as to why a buyer chooses their software partner. If you don't integrate with their existing systems, and your competitor does, don’t be surprised when you lose out on that customer. You may also have a desire to move into new markets, or build new features– all of which could enhance your revenue opportunities– but you’re prevented from doing so by lacking the necessary integrations, or the necessary endpoints. With Affix, you can accelerate your integrations, and claim those revenue opportunities before your competitors do.

Lastly, using Affix to optimize onboarding can help you remove the perceived switching cost that potential customers might see when considering whether to leave their current HR/payroll system and to come use yours. Removing your competitors switching cost and allowing new customers to switch in just a few clicks can unlock entire markets that were previously locked up.

What do the commercials look like?

For continuous use cases, Affix charges based on the number of employer connections per month, with the first 5 connections free. If a customer connects both their payroll and their HRIS to your platform through Affix, that counts as two connections. For data migrations, we charge based on migration, with the first 5 migrations free. To make sure our pricing fits your business, we offer volume discounts.

4. Questions on security

Does Affix sell data?

No.

Does Affix store data?

We view data as a liability, and as such we store as little data as possible. We don’t store any employment data beyond a temporary cache with TTL set for the purpose of satisfying developer’s API requests with as little latency as possible, deleting the cache automatically within just two hours. The only information from end users that we store longer term is usernames and passwords for long-lived access. This data is encrypted via an AWS KMS symmetric key with key rotation enabled, and stored (ciphertext only) in an AWS DynamoDB table (encrypted at rest). Affix’s database, AWS DynamoDB, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Our encryption key, a Customer Managed Key behind AWS KMS, is secured via AWS IAM, and internal systems are provided access via the principle of least privilege. Traffic between you or customers and the Affix API is encrypted in-transit with TLS. If you’re interested in learning more, you can read our privacy policy for our end user here, and our privacy policy for our customers here.

When compared with current alternatives to transfer this data, such as via CSV, it’s clear that Affix is the most secure solution out there. You can read more about Affix’s security here.

How is the network communication secured, both in terms of confidentiality and integrity?

All endpoints between you and Affix are secured by TLS 1.2 encryption. The client data endpoints are additionally secured by passing a Bearer Token in the Authorization header. The bearer token is a JWT (Jason Web Token) which is cryptographically secure and is never stored by Affix. Additionally, Affix strips the JWT signature from the logs, so we can never replay your request.

Your management endpoints are secured by passing a Basic base64-encoding of the client_id:client_secret in the Authorization header.

TLDR: you and only you get a secret key into your customer’s system and only you can use that key; not even Affix gets this. Our company principle is that we view data as a liability and want nothing to do with it. Your customer’s data is between you and your customer only.

How do you protect HTTP endpoints exposed publicly?

We use AWS Web Application Firewall (WAF) and rate limiting to protect HTTP endpoints.

How do you store and protect production secrets?

We don’t store JWTs. Our DynamoDB table which holds credentials/API keys is encrypted at rest, and the actual field that stores credentials/API keys is additionally encrypted by an asymmetric AWS KMS key with key rotation enabled. We don’t have access to the key itself.

You can read more about our architecture and our approach towards data security here: https://affixapi.com/security

How would authentication and the disconnect flow work, in case of errors during the authentication process or expired tokens?

We have a disconnect endpoint. This will wipe all the data in the token.

What is the frequency of your data synchronisation process?

Our system is designed differently from API aggregators’ like Merge/Kombo. We don’t store data and we don’t have a synchronisation process. You call our endpoint and you get the data back in real-time. When you make a call to us, that turns into a live request to the provider.

We also have webhooks - in which case we will let you know when something’s been changed, rather than you calling our endpoints. How this works is we configure JWTs to run at a certain interval, store data in a temporary cache (with TTL set); detect if there’s been a diff, and then send you the diff’d records. That interval can be 1 hour, 6 hours, 12 hours, once a day, or any other interval you’d like.

Is Affix ISO27001 compliant?

Yes. Affix is ISO27001 compliant, and we’re currently undergoing our ISO ISO27001 audit to receive our certification, which should be by February 10, 2024 at the latest.

5. Questions on Legal & Compliance

Is Affix GDPR compliant?

Yes. Affix when it comes to end user data, Affix is a data processor, and does not send data outside of EU/GDPR adequate countries. For data collected in standard interactions with us when you engage with us via sales, marketing, and and in other situations, we are a data controller, and we are also GDPR complaint. We have Date Processing Addendums in place with all our sub-processors. You can read our own DPA here and see our list of sub-processors here. We follow stringent data security practices internally. To learn more about how we handle data and privacy, you can read our Developer Privacy Policy, or our End User Privacy Policy. You can find our Data Breach Policy here We are in the midst of publishing our trust center, but if you need to see any of our other internal policies, please contact us and we can provide them immediately.
‍

Is there any precedence for using the internal API, rather than the public API?

Yes. Before Open Banking was established, Plaid ($700m+ in venture funding, customers include Wise, Revolut, Venmo, and Chime) accessed banks’ internal APIs to create a single API into all of banking, facilitating the takeoff of the fintech industry. Affix is using a similar method to provide its vertically integrated API for HR/Payroll systems.

Is using the internal API legal in the UK?

Yes, absolutely! Affix uses the same method of integrating that Plaid employs, which is used by companies like Revolut, Wayflyer, Cleo, and Wise.

Does Affix infringe on copyright laws?

No. Affix does not scrape copyrighted data like photographs or text paragraphs for reproduction. The data collected by Affix wouldn't be subject to copyright as it doesn't meet the standard of originality, creativity, and authorship.

What about database rights infringement?

Affix doesn't infringe on database rights, because the data is factual or non-original.

Would a customer of Affix be breaching the terms of a payroll provider?

No. Affix operates as an intermediary between the end user, the HR/payroll providers, and our customer. Any action taken by an HR/Payroll system would be against Affix, not its customers, and would be about a policy violation, rather than a legal one.

What happens if a payroll provider learns of Affix?

Affix is designed to avoid detection in the first place. From our experience, if the providers notice the activity, the most aggressive action they take is to increase the technical challenges Affix needs to make in order to access the data, such as bot challenges, or attempting to ban IP ranges of Affix’s servers. Between the resources needed to do so, and the risk of churning their customers, the payroll providers are not too likely to, let alone discover it’s happening to begin with. However, even if they were to, that’s something Affix is experienced with and would be able to overcome in short-order.

In summary, is it safe for a customer to use Affix?

Yes, Affix is GDPR compliant, does not violate copyright or trademark rights, and is built with security at the forefront of design decisions. While the areas of law are complex, Affix has barristers registered in England, Wales, and Ireland on its advisory council, is in good legal standing, and operates with due diligence.

Does Affix have insurance?

Yes– Affix has public indemnity insurance, cyber insurance, directors and officers insurance, and employer liability insurance as well.

This is a key business function for us. Is there a risk of being too reliant on Affix?

At Affix, our success is directly aligned with our customers. As such, we believe in fair and transparent terms. For any partnership we enter, we establish mutual agreements on pricing that provide protections from unfair price hikes, providing for long-term, mutually beneficial partnerships.

6. Summary

What's the TLDR?

Affix is designed from the ground up by an engineer to be the API that an engineer would want to use. It provides access to systems, data, and use cases not found anywhere else. It's intuitive, it just works, and it gives you everything you could need such as canaries, industry standard endpoints, and webhooks.

And, it's secure and compliant. Affix is serverless and doesn't store sensitive employment data. If you enable webhooks, there's a brief cache, but it's heavily encrypted. We are GDPR compliant, and ISO 27001 certified.

Lastly we provide free, no risk trials. No set up fee. No fee per API call. With pricing that fits your use case and the value our integrations provide to you. ‍

How soon can we have access to it?

The product is live now. Claim your place for onboarding by booking a discovery call with our team below.

Get in touch