WorkOS, Inc. Information Security Policy
Last Updated: October 29, 2020
WorkOS considers protection of subscriber data a top priority. As further described in this WorkOS Information Security Policy, WorkOS uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of subscriber data stored on systems under WorkOS’ control. Our security white paper is available upon request. More detailed information on controls is available in our SOC 2 Type II report, which is available under NDA.
Subscriber Data and Management
WorkOS limits its personnel’s access to subscriber data as follows:
- Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access;
- Limits the subscriber data available to WorkOS personnel on a “need to know” basis;
- Restricts access to WorkOS’ production environment by WorkOS personnel on the basis of business need;
- Encrypts user security credentials for production access; and
- Prohibits WorkOS personnel from storing subscriber data on electronic portable storage devices such as computer laptops, portable drives and other similar devices.
- WorkOS logically separates each of its subscribers’ data and maintains measures designed to prevent susbcriber data from being exposed to or accessed by other customers.
WorkOS provides industry-standard encryption for subscriber data as follows:
- Implements encryption in transport and at rest;
- Uses strong encryption methodologies to protect subscriber data, including AES 256-bit encryption for subscriber data stored in WorkOS’ production environment; and
- Encrypts all subscriber data located in cloud storage while at rest.
Network Security, Physical Security and Environmental Controls
- WorkOS uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing subscriber data.
- WorkOS maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.
- WorkOS monitors privileged access to applications that process subscriber data, including cloud services.
- The Services operate on Amazon Web Services (“AWS”) and Heroku and are protected by the security and environmental controls of Amazon and Heroku, respectively. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/. Detailed information about Heroku security is available at https://heroku.com/security/.
- Subscriber data stored within AWS or Heroku is encrypted at all times. AWS and Heroku do not have access to unencrypted subscriber data.
If WorkOS becomes aware of unauthorized access or disclosure of subscriber data under its control (a “Breach”), WorkOS will:
- Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
- Upon confirmation of the Breach, notify customer in writing of the Breach without undue delay. Notwithstanding the foregoing, WorkOS is not required to make such notice to the extent prohibited by applicable laws, and WorkOS may delay such notice as requested by law enforcement and/or in light of WorkOS legitimate needs to investigate or remediate the matter before providing notice.
Each notice of a Breach will include:
- The extent to which subscriber data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;
- A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
- The scope of the Breach, to the extent known; and
- A description of WorkOS’ response to the Breach, including steps WorkOS has taken to mitigate the harm caused by the Breach.
Business Continuity Management
- WorkOS maintains an appropriate business continuity and disaster recovery plan.
- WorkOS maintains processes to ensure failover redundancy with its systems, networks and data storage.
- WorkOS performs employment verification, including proof of identity validation and criminal background checks for all new hires in accordance with applicable law.
- WorkOS provides training for its personnel who are involved in the processing of the subscriber data to ensure they do not collect, process or use subscriber data without authorization and that they keep subscriber data confidential, including following the termination of any role involving the subscriber data.
- WorkOS conducts routine and random monitoring of employee systems activity.
- Upon employee termination, whether voluntary or involuntary, WorkOS immediately disables all access to WorkOS systems.