Last updated: May 2022

Security & Compliance

Our customers rely on Workstream to manage their analytics environment and associated workflows. To protect our customer’s environments, Workstream leverages best in class infrastructure, and adheres to industry best practices for security and compliance.

For detailed information about our security practices, you can view our Security Whitepaper. If you want to view or sign a GDPR Data Protection Agreement, or get access to our SOC 2 Type 2 certification, please reach out to security@workstream.io.

AICPA SOC 2
Vanta SOC 2
SOC 2 Type 2

We are SOC 2 Type 2 certified. For access to our report, please reach out to our team at security@workstream.io.

GDPR
GDPR

Our Terms & Conditions and Data Processing Addendum (DPA), as updated from time to time, address the obligations and requirements of the European Union General Data Protection Regulation (GDPR); any laws or regulations that amend, supplement, supersede, repeal or replace the GDPR or that are intended to ensure the continued application of the GDPR in the United Kingdom (including the Data Protection Act 2018 (collectively, “UK Privacy Law”), or any successor laws of the above. These documents make it easy for customers to share information with their stakeholders, including compliance and privacy managers, customers and potential auditors.

Summary of Key Security Practices

Our Terms and Conditions, and DPA are supported by the people, processes and technology necessary for protection of customer personal data in compliance with our legal and contractual obligations. Some of the key activities implemented are listed below. 

Encryption, Authentication and Resource Access

  • We only support authentication via single-sign on, and currently support Google, Microsoft and Okta (including SCIM provisioning).

  • All data is encrypted at rest and in transit using AES-256, block-level storage encryption.

  • All non-essential ports and network interfaces are blocked by default.

  • No financial or credit information is stored in any Workstream system.

  • We do not have direct access to your data warehouse, or any of your customer PIIA.

  • We persist basic metadata from external systems (such as the url of a dashboard, or when it was created).


Source Code

  • We perform static code analysis of all production code.

  • We perform an annual third party security assessment / SOC 2 audit.

  • We perform annual penetration tests.

  • We have integration and unit tests for all critical systems.

  • All sub-dependencies have been vetted for security and performance issues.

  • All sub-dependencies are directly bundled into the Workstream application.

  • We follow strict compliance with source code licensing and open source licensing.


Key Management

Workstream maintains a strict policy for assigning and distributing keys that may access any production or development system.

  • Master keys are never distributed to employees.

  • Access keys are never stored in any version control system.

  • Access keys are never stored anywhere as plaintext.

  • Individual access keys are generated per employee with developer-only access.


Secure Workstations

  • Local encryption is enforced on all company computers, and employees are required to use password managers and two factor authentication.

  • All company computers use anti-malware and anti-virus software.


Employee Awareness

  • All Workstream employees undergo background checks, and are required to go through annual security training.

  • We follow the principle of least privilege access, and thus Workstream employees are granted granular access to resources on a need only basis.

  • All employee access to systems and sensitive data is regularly audited.

Ready to supercharge your analytics workflow?
Join the waitlist today.

We are building for the most innovative, forward thinking data teams around. If that sounds like you, please reach out!