Worklytics is audited annually against the AICPA SOC 2 standard by a third party. Our latest SOC 2 Type II Report is available under NDA to current and prospective customers. Contact email@example.com to learn more.
Worklytics’s infrastructure is provided by Google Cloud Platform, which is certified for compliance with ISO 27001, ISO 27017, ISO 27018, PCI DSS, as well as audited against the AICPA SOC 2 and AICPA SOC 3 standards. Read the details.
Encryption at-rest. All data is encrypted before it is written to disk using AES-256 bit encryption.
HTTPS. All data you exchange with Worklytics is transmitted over SSL. Data we collect from 3rd-party services on your behalf is also fetched over SSL. If you have any concern about how we connect to a specific data source, please contact us.
3rd-party Penetration Testing.
The Worklytics platform undergoes regularly scheduled black-box 3rd-party penetration testing, at both the application and infrastructure-levels. Current and prospective customers may obtain a copy of our latest report under NDA.
Vulnerability Disclosure Program.
Worklytics operates a vulnerability disclosure program, inviting 3rd party white hat security researchers to proactively test our application.
Automated Security Scans.
We use automated scanning tools to continually scan our application and infrastructure for vulnerabilities, including Vanta, GCP Security Health Analytics, and GCP Web Security Scanner . We utilize source-code level scanners to identify vulnerabilities in any dependencies.
Limit processing to Meta-data.
We don’t read your email! Wherever possible, we only ingest meta-data about your work – not the content of the work itself. This means, for example, that for a Google Drive file, we store data such as the title and who edited it, but not the content of the file itself. Thus if our systems were ever compromised, your work content would remain secure – as we don’t have a copy of it.
Single-sign-on with G Suite or Azure Active Directory.
We rely on 3rd party corporate user directories integrations to authenticate your employees, rather than giving them a Worklytics-specific password. This means any user you de-provision from your organization’s directory will lose access to your Worklytics account, without any additional work on your part. And we never see a password that they may have re-used in another tool.
Wherever possible, we use OAuth 2.0 to access data from your integrations – it’s a widely accepted standard flow for securing authorizing 3rd-parties such as Worklytics to access your data in other SaaS tools. Generally, this means that you may revoke our access to your data from those tools at any time.
We don’t store sensitive payment information.
We use Stripe, a certified PCI Level 1 Service Provider, to process payments you make through Worklytics. We don’t retain any customer payment information.
Access to our production infrastructure is tightly restricted to senior personnel, who must have strong passwords and utilize Multi-Factor Authentication.
Our application is architected to run on top of platform-as-a-service infrastructure. We deploy our application as small bundle of source code and configuration files into sandboxed webservers that are distributed across standardized, hardened virtual machines. The webservers and virtual machines are maintained and operated by Google. This greatly limits potential intrusion points. You aren’t depending on us to keep components such as kernels, web-servers, packages, etc up-to-date with the latest security patches – you’re trusting Google.
Separation of Responsibilities.
All source code that processes your data is subject to peer-review, requiring sign-off from a second engineer before it can be deployed into our production environment. We operate distinct production, staging, and development stacks of infrastructure, to enable robust testing of our application before it touches your data.
We perform annual internal audits for compliance with our security policies and procedures. These audits drive continuous improvement in our practices.
If you require any additional information on our security practices, please contact us at firstname.lastname@example.org. We can provide Private Cloud deployments that may meet your needs, as well as providing detailed documentation and compliance e of our security practices under NDA.