IS OUR DATA SECURE?


Last Revision: 24/07/2017

This is an important question and, of course, the answer is YES.
From owning, storing, transferring, accessing, backing up, monitoring, to testing and reviewing our security procedures, every aspect is covered to industry best practice standards and is legally compliant.
All your security questions are answered above... but if you need clarifications to not hesitate to reach out to us.

IS MY DATA SECURED?

Workelo takes data security seriously and invests in protecting your data. We put security measures and maintain policies and procedures to comply with required data security standards. We share personal information with 3rd parties only per our Privacy Policy and we store the data on trusted service provider, Amazon Web Services, which is ISO 27001 certified.

WHO OWNS OUR DATA?

You are the owner of your data and you are ultimately responsible for it. We provide security functionality to protect your data. Workelo shares your data only based on the privacy policy and providing data to 3rd parties for helping you manage your business and allowing us to support your business needs.

WHERE AND HOW IS OUR DATA STORED?

All your data is stored using Amazon Web Services (AWS), one of the world’s leading cloud-based services. AWS is used by millions of businesses from AirBNB, to Capital One and Netflix. The data is stored in Ireland allowing you to meet European regulations as no data is transferred outside the EU and is physically secured by trained and audited Security staff around the clock, 365 days a year (see Amazon whitepaper on security).

IS THE TRANSFER OF MY DATA SECURE?

Your data is transferred with high-grade TLS 1.2 (https) technology. This is industry standard technology, used by everybody from Google to the big banks. We limit the duration of Workelo sessions and will automatically log you out of Workelo after certain time, and we only use secure cookies (which don’t store any personal information locally).

WHO CAN ACCESS MY DATA?

We should look at 3 types of parties that can get access to your data:

You and your staff – your staff will have access to the data, using password and per data access credential that you will provide them. You can control who can view, edit, upload and download any information or document based on his/her role credentials.

Our staff – a small number of authorized Workelo personnel as defined in our security policy can access to your data. Any Workelo team member doing so will be performing specific (audited) tasks on your request via our support desk. Access to all sensitive data requires two-factor authentication by these personnel.

In some cases, based Your consent, data will be provided to 3rd party service providers for specific business purposes (e.g. getting quote for services).

IS MY DATA BACKED UP?

Our data centers backup your data multiple times a day and your data is fully restorable within reasonable time in the unlikely event of a problem. However, we recommend that you will have a backup of your data to be update on periodic basis since we are not a backup service. We offer such ability through our scheduled reports.

HOW DO YOU MONITOR ACTIVITY IN WORKELO?

We keep an audit log of all activity on system data, and in each User Card you will be able to see a log of all changes that have ever been made to that card. Viewing log changes can be viewed based on the viewer credential rights.

HOW DO YOU TEST AND REVIEW YOUR SECURITY SO THAT IT IS ALWAYS UP TO SCRATCH?

We maintain Security Policy that define the security tasks that we should perform periodically. Our site and API undergoes independent, ongoing third-party penetration testing, security scans, threat detection and black box assessment.

SOME QUESTIONS YOUR IT DEPARTMENT MAY ASK

IF YOU’RE HOSTING MULTIPLE TENANTS WITHIN YOUR CLOUD INFRASTRUCTURE, WHAT SECURITY MEASURES PREVENT ONE CUSTOMER ACCESSING ANOTHER CUSTOMER’S DATA? IS OUR DATA SEGREGATED FROM OTHER CUSTOMERS?

Each piece of data stored is associated with a tenant ID. All access to data is enforced to use a tenant ID key. Data is logically divided. If the information is stored on disk then every client has its own folder, if data is stored on a database then access to the data is strictly enforced to use the tenant identifier so there is no leakage between clients.

WHAT OTHER SECURITY MEASURES DO YOU HAVE IN PLACE?

  1. Code Reviews – every change before uploaded to production undergoes a review and needs to be approved. Changes are reviewed with security in mind.
  2. Passwords – we require strong password to connect to the application. Passwords are never stored in clear text and are always hashed and salted.
  3. Versioning – We have an automated system that ensure and monitor that the available system for our users is up to date.
  4. High availability – our system was designed to enable high availability; in any case of failure we can update our customers on real time basis.
  5. Third party penetration tests – we have periodic third party security experts testing our system for known vulnerabilities.

WHAT IS THE FORTHCOMING EU GENERAL DATA PROTECTION REGULATION (GDPR)

On May 25, 2018, the GDPR will come into effect and replace existing national data protection laws in EU member states. The GDPR strengthens privacy rights of EU individuals and places additional requirements on businesses processing personal data of EU individuals.

At Workelo, trust is our #1 value and nothing is more important than the success of our customers and the protection of our customers’ data. Workelo welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and has worked from its 1rst version to respect the GDPR.

To whom does the GDPR apply? The scope of the GDPR is very broad. It applies to Workelo customers based in the EU as well as non-EU customers to the extent such customers offer goods and/or services to or track the behavior of EU individuals. The GDPR applies to all industries and sectors.

 

What does the GDPR aim to achieve​? The dual aim of the GDPR is to: • update existing EU data protection laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex cross-border flows of personal data; and • replace the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

 

What are some of the biggest changes resulting from the GDPR?

  • More rights for EU individuals: The GDPR provides expanded rights for EU individuals related to deletion, restriction, and portability of personal data.
  • New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
  • Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities. The GDPR also places more specific security requirements on organizations.
  • Binding corporate rules (BCRs): The GDPR officially recognizes BCRs (which Workelo offers for certain of its services) as a means for controllers and processors to legalize transfers of personal data outside the EU.
  • One-stop-shop: The GDPR provides a central point of enforcement for companies with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Importantly, the GDPR does not place any new restrictions on transfers of personal data outside the EU.



For more info, please have a look at the GDPR official text