Last updated: May 2023

Security & Compliance

Our customers rely on Workstream to manage their analytics environment and associated workflows. To protect our customer’s environments, Workstream leverages best in class infrastructure, and adheres to industry best practices for security and compliance.

For detailed information about our security practices, you can view our Security Whitepaper. If you want to view or sign a GDPR Data Protection Agreement, or get access to our SOC 2 Type 2 certification, please reach out to [email protected].

AICPA SOC 2
Vanta SOC 2
SOC 2 Type 2

We are SOC 2 Type 2 certified. For access to our report, please reach out to our team at [email protected].

GDPR
GDPR

Our Terms & Conditions and Data Processing Addendum (DPA), as updated from time to time, address the obligations and requirements of the European Union General Data Protection Regulation (GDPR); any laws or regulations that amend, supplement, supersede, repeal or replace the GDPR or that are intended to ensure the continued application of the GDPR in the United Kingdom (including the Data Protection Act 2018 (collectively, “UK Privacy Law”), or any successor laws of the above. These documents make it easy for customers to share information with their stakeholders, including compliance and privacy managers, customers and potential auditors.

Summary of Key Security Practices

Our Terms and Conditions, and DPA are supported by the people, processes and technology necessary for protection of customer personal data in compliance with our legal and contractual obligations. Some of the key activities implemented are listed below. 

Encryption, Authentication and Resource Access

  • Black check mark

    We only support authentication via single-sign on, and currently support Google, Microsoft and Okta (including SCIM provisioning).

  • Black check mark

    All data is encrypted at rest and in transit using AES-256, block-level storage encryption.

  • Black check mark

    All non-essential ports and network interfaces are blocked by default.

  • Black check mark

    No financial or credit information is stored in any Workstream system.

  • Black check mark

    We do not have direct access to your data warehouse, or any of your customer PIIA.

  • Black check mark

    We persist basic metadata from external systems (such as the url of a dashboard, or when it was created).


Source Code

  • Black check mark

    We perform static code analysis of all production code.

  • Black check mark

    We perform an annual third party security assessment / SOC 2 audit.

  • Black check mark

    We perform annual penetration tests.

  • Black check mark

    We have integration and unit tests for all critical systems.

  • Black check mark

    All sub-dependencies have been vetted for security and performance issues.

  • Black check mark

    All sub-dependencies are directly bundled into the Workstream application.

  • Black check mark

    We follow strict compliance with source code licensing and open source licensing.


Key Management

Workstream maintains a strict policy for assigning and distributing keys that may access any production or development system.

  • Black check mark

    Master keys are never distributed to employees.

  • Black check mark

    Access keys are never stored in any version control system.

  • Black check mark

    Access keys are never stored anywhere as plaintext.

  • Black check mark

    Individual access keys are generated per employee with developer-only access.


Secure Workstations

  • Black check mark

    Local encryption is enforced on all company computers, and employees are required to use password managers and two factor authentication.

  • Black check mark

    All company computers use anti-malware and anti-virus software.


Employee Awareness

  • Black check mark

    All Workstream employees undergo background checks, and are required to go through annual security training.

  • Black check mark

    We follow the principle of least privilege access, and thus Workstream employees are granted granular access to resources on a need only basis.

  • Black check mark

    All employee access to systems and sensitive data is regularly audited.

Ready to supercharge your analytics workflow?

We are building for the most innovative, forward thinking data teams around. If that sounds like you, please reach out!