Workai wins Nielsen Norman Group Intranet Design Annual 2023!


Workai Security – ISO 27001, GDPR, and Privacy

At Workai, we prioritize security and privacy for our diverse industry customer base. Our platform and vision revolve around these crucial aspects, ensuring top-level protection.

Our infrastructure safeguards customer data at every stage, and we provide customizable settings and tools for customers to define their own security parameters.

With Workai’s enterprise-ready support, all customers can trust a secure and reliable platform that meets their needs and concerns.

A copy of the certificate can be found here.

Declaration of the top management

1.1     One of the objectives of the organization is to systematically improve the quality of services provided and the security of designed IT solutions. Ensuring the security of information concerning the data entrusted by customers and the know-how is, among other things, a prerequisite for a successful implementation of this strategy. This is done through the following:

1.1.1    identifying and analyzing information security risks, conducting reviews, and taking actions to reduce them;
1.1.2    creating awareness among employees and sensitizing them to information security issues;
1.1.3    ensuring the physical security of company assets and stored data;
1.1.4    security of Internet links and ICT systems;
1.1.5    appropriate information security regulations in contracts with all stakeholders;
1.1.6    assigning responsibility for ensuring information security;
1.1.7    a systemic approach to information security management.

1.2    The company’s Management Board declares its full commitment to creating conditions for the effective functioning of the ISMS and its improvement. The company’s Management Board undertakes to meet the applicable information security requirements. Thus, it commits all employees and associates of the organization to apply and comply with the principles of the ISMS.

Certification ISO 27001

ISO 27001 serves as the internationally recognized standard for managing information security. In 2021, Workai established an Information Security Management System (ISMS) and obtained ISO 27001 certification in the year 2023.
As part of our ISO 27001 certification, Workai conducts regular risk assessments and develops corresponding risk treatment plans to mitigate any identified risks. This proactive approach allows us to continually enhance our security controls. The Workai Security team consistently works towards improving the suitability, adequacy, and effectiveness of our ISMS.

Structure and Oversight in the Organization

The Security and Privacy Departments at Workai

Workai employs a specialized Chief Information Officer (CIO), working in conjunction with our Global Head of Information Security, to supervise the information security division. The Security team at Workai is tasked with evaluating and applying security controls across the organization. The squad works together with our Legal & Compliance team, which features a privacy counsel, to implement security, privacy, and data protection programs within Workai.

Security Awareness Education

We offer our employees annual training in security awareness, coupled with regular updates on the latest security risks and the best practices to counter them. Every developer at Workai receives consistent training on security to remain informed about prevalent security threats in development and to ensure the privacy of our customers’ data. Every Workai employee and contractor is obliged to adhere to established security policies, which encompass confidentiality, data privacy, and incident reporting.

Assurance of Confidentiality

Confidentiality clauses are a standard feature in all customer agreements made by Workai. Moreover, all Workai employees and contractors must sign confidentiality agreements to safeguard customer data. We have similar confidentiality terms in place with all vendors handling personal or confidential customer information, which is part of our vendor evaluation process.

Incident Reporting and Management

All Workai employees, contractors, and principal suppliers are obliged to report any security incidents. Workai has a systematic plan to address any security or availability incidents swiftly and effectively. This incident response plan consists of three stages aimed at preventing, identifying, rectifying, and resolving security incidents.
Our Incident Response Plan also incorporates a Problem Management process, structured to determine root causes and address unidentified security incidents. The entire security team is trained to respond as per the established Incident Response Plan. The Incident Response Plan is regularly evaluated and updated in accordance with Workai’s ISO 27001 certification requirements.

Contingency Planning and System Redundancy

Workai has engineered a system aimed at reducing service disruptions due to natural disasters, hardware malfunctions, or other unexpected incidents or crises. Our approach to Disaster Recovery includes leveraging cutting-edge service providers to assist in delivering our services. Thousands of businesses trust these providers for their data and service delivery needs. Our disaster recovery program emphasizes technical disasters in the operation of the Workai platform. It incorporates plans for various scenarios, enabling them to retrieve data during emergency situations.

Hosting within the European Union

Hosting within the European Union ensures that Workai’s data is stored in a jurisdiction that adheres to the stringent EU privacy requirements and the General Data Protection Regulation (GDPR). By partnering with Microsoft Azure, a reputable cloud service provider, Workai can take advantage of their EU-based servers, offering enhanced data protection measures. Microsoft Azure’s facilities comply with ISO 27001 standards, ensuring that Workai’s data remains secure and in line with the strict privacy regulations of the EU.

Hosting outside the European Union

While Workai’s servers could be hosted outside the European Union, it is crucial to consider the potential implications for data privacy and GDPR compliance. If Workai chose a hosting provider located in a non-EU country, they would need to thoroughly assess and establish a legal framework to ensure the adequate protection of personal data. This could involve implementing appropriate safeguards such as standard contractual clauses or obtaining explicit user consent for cross-border data transfers. However, it is important to note that hosting outside the EU may pose challenges in meeting the specific requirements of GDPR and could potentially impact the level of data protection afforded to Workai’s users.

Product Security

Our Secure Development Lifecycle (SDLC) outlines the procedures and tools we leverage in software development and operations to heighten security. These techniques and resources are in line with recognized industry standards and corresponding frameworks.

Quality Assurance

To attain the utmost level of Quality Assurance (QA), we execute numerous automated tests on our foundational code. Moreover, every code alteration put forth by our developers is subjected to peer evaluation.

Isolated Environments

The testing and staging systems of Workai are logically distinct from production systems. For testing purposes, Workai generates exclusive test data.

Security Testing

Workai collaborates with external penetration testing teams to undertake independent tests on an annual basis, at the least. Workai utilizes the established Common Vulnerability Scoring System (CVSS) score to assess the severity of any uncovered vulnerabilities. Our Security team at Workai works in conjunction with the product team to prioritize the rectification of detected vulnerabilities, based on their severity.

Privacy and Data Protection

Originating from the EU, Workai has made privacy and data protection fundamental aspects of our product development, service offerings, and internal governance. Given that the EU enforces some of the most stringent data privacy laws globally, we incorporate our experiences in Europe into our methodology for building and developing employee communication tools.

Data Processing Agreements (DPA) in line with GDPR

Workai provides Data Processing Agreements (DPAs) compliant with the General Data Protection Regulation (GDPR) for our clients. Also, as part of the vendor evaluation process discussed earlier, Workai establishes appropriate DPAs with any sub-processors of personal data.

EU General Data Protection Regulation (GDPR) Compliance

Workai meets the stipulations of the EU General Data Protection Regulation, offering a secure platform for communication that equally safeguards employee and customer data. Our utmost priorities are the privacy rights of our customers and their employees, along with the security of their personal information. Consequently, under the supervision of our Legal & Compliance department, our Data Protection Officer (DPO), and our Security team, we have established a program to ensure GDPR compliance.

Data Location

Our servers, which are all based within Microsoft Azure in Europe, possess the following certifications: ISO 27001:2013, ISO 27017:2015, ISO 27018:2014, ISO 20000-1:2011, ISO 22301:2012, ISO 9001:2015, and CSA STAR.

Physical storage is encrypted and, in addition, drives marked for replacement are securely repurposed using NIST 800-88 compliant methods.

Azure Services incorporate multi-layered mechanisms that ensure restricted access to client resources – protecting the Supervised Entity from unauthorized access by other users, including potential “malicious” clients of the service. Additional security features include notification mechanisms for any attempted inter-client environment access. Resources for clients are safeguarded, and measures are in place to prevent excessive resource allocation. A detailed description of the mechanisms employed can be found here.

The isolation is enforced at various levels, which include:

  • Isolation of clients at the subscription level and authorization services.
  • Isolation of resources at the computational layer level (virtual machines, services).
  • Isolation at the network level and data storage accounts.
  • Isolation at the network level from the outside world (implicitly the internet).
Want to learn more about our safety and security protocole? Let’s talk.
Skip to content