Security Overview

Customer trust and data security are key to everything we do

Data protection and information security are key elements of Worksuite’s products and services, and customers’ data protection is our highest priority.

We have implemented technical and organizational measures to ensure the secure processing of information.

Our practices are based on the legal framework of the European General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) as well as common standards and guidelines such as SOC2.

Data protection

Data Retention

We retain our user’s data for a period of 90 days after the service termination. All data is then completely removed from our server. Every user can request the removal of usage data by contacting support. Click here to review our Data Retention Policy and Data Disposal and Destruction Policy.

Data Storage

Worksuite’s data is hosted in Amazon Web Services (AWS) facilities in the USA, Canada, and Ireland (EU). Worksuite was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

Data ownership

The customer is and remains the owner and controller of the data within the meaning of art. 24 EU GDPR. In particular, this means that the customer is responsible for respecting the rights of data subjects (chapter 3 of EU GDPR). Worksuite is the order processor and in this capacity processes customer’s data exclusively at the customer’s instruction and for the purposes laid down in the data processing agreement.

User protection

SSO
Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials Click here to learn more about available integrating your SSO with Worksuite.

Permissions
We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send tasks or access reports.

Suspicious user behavior monitoring
We use Sqreen to monitor suspicious behaviors and react fast in case of account takeovers. It also protects customers against data theft by blocking credential stuffing or brute force attacks.

Secure development

We develop the following security best practices and frameworks. We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them has known vulnerabilities
  • We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  • We use Dynamic Application Security Testing (DAST) to scan our applications

Business continuity and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
Click here to review our Business Continuity and Disaster Recovery policies.

Network and application security

Hosting and Storage
Worksuite services and data are hosted in Amazon Web Services (AWS) facilities in the USA and Ireland. Worksuite was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.

Back Ups and Monitoring
Worksuite uses AWS’s backup solution for datastores that contain customer data. On an application level, we produce audit logs for all activities. All actions taken on production consoles are logged. Click here to review our Backup Policy.

Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Shortlist is served 100% over https. We have Single Sign-on (SSO) and strong password policies on all internal tools and applications to ensure access to cloud services are protected. Click here to review our password policy.

Encryption
All data sent to or from Shortlist is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. Click here to review our encryption policy.

Pentests and Vulnerability Scanning
Worksuite uses third-party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Twice yearly we engage third-party security experts to perform detailed penetration tests on the Worksuite application and infrastructure.

Incident Response
Worksuite implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post-mortem. All employees are informed of our policies. Click here to review our incident response policy.

Employees

Access
Our strict internal procedure prevents employees from gaining access to user data. Limited exceptions can be made for customer support. Click here to review our Access Policy.

IP Protection
Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our customer’s sensitive information.

Training
All employees complete Security and Awareness training annually. Click here to review our Training Policy.

Security Questions?

If you think you may have found a security vulnerability, please get in touch with our security team at security@worksuite.com