Security

We strive to ensure that your privacy and data are never compromised. Here are some of the measures we have in place.

Compliance

GDPR

Workbase is committed to ensuring that all our customer and employee personal data are treated in a way that complies with the EU’s General Data Protection Regulation (GDPR).

CCPA

The California Consumer Privacy Act (“CCPA”) regulates how organizations handle the personal information of Californian residents and gives them certain rights with respect to their personal information. Workbase is committed to be compliant with the CCPA. As a provider of enterprise design tools, Workbase is primarily a service provider under the CCPA.

Data Security

All of Workbase's services are hosted in Google Cloud facilities in Europe. Services are distributed across multiple Google Cloud availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

Data classification

Workbase classifies the data they own, use, create, and maintain into the following categories:

- Confidential: Customer and personal data

- Internal: Workbase internal operational data that should not be disclosed

- Public: For example, the marketing material and content on this website

Encryption at rest

Workbase uses the Google Cloud-managed data stores Cloud SQL, Memorystore, and Cloud Storage to store customer data, including backups. All these Google Cloud services have been configured to use encryption at rest using AES with 256-bit keys.

Secrets and encryption key management

Workbase uses Google Cloud Secret Manager for securely storing and managing secrets that are used by services. Workbase uses Google Cloud Key Management Service (KMS) to encrypt and decrypt these secrets, as well as manage all encryption keys in use by Workbase services. Access to secrets and encryption keys is restricted to the services on a least privilege basis and is managed by the Workbase infrastructure team.

Separation of environments

Workbase fully separates and isolates their production, staging, and development networks and environments.

Product security

Secure development

Workbase practices continuous delivery. We have processes and automation in place that allow us to safely and reliably roll out changes to our cloud infrastructure and web-based applications in a rapid fashion. We deploy new changes to production dozens of times a week.

• All code changes are requested through pull requests and are subjected to code reviews and approval prior to being merged to the master and production branches.

• Workbase uses GitHub Enterprise and Dependabot to automatically create pull requests to update outdated dependencies.

• Workbase uses static source code analysis tools to analyze any source code changes in order to identify any potential code quality issues or security weaknesses.

• Workbase uses Sentry to track errors in the web and desktop applications.

• Workbase's security team works closely with the engineering teams to resolve any potential security concerns that may arise during design or development.
  
  

Bug bounty program

Workbase operates a private security bug bounty program that allows security researchers around the world to continuously test the security of Workbase's applications and services. Security engineers who identify valid issues are paid via the program. If you would like to be invited into our bug bounty program, please report a security vulnerability by following our vulnerability disclosure guidelines as outlined below. Based on that, we will consider inviting you into our program, which will be determined at our discretion.

Infrastructure and network security

Transport security

Workbase requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the Workbase applications and the Workbase cloud infrastructure. Workbase's TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which supports important security features such as Forward Secrecy. To defend against downgrade attacks, Workbase has implemented HTTP Strict Transport Security, and has all their production domain names included on the HSTS Preload List.

External attack surface

Workbase only exposes public (web) applications and APIs to the public internet. All other services are only available on the internal network, and accessible by employees using a VPN or single sign-on proxy. The external attack surface is monitored for changes by a third-party service.

Network segmentation

Network segmentation is a foundational aspect of Workbase's cloud security strategy. Workbase achieves segmentation boundaries at various layers of their cloud infrastructure. Workbase uses a multi-account strategy within AWS to isolate production, development, and test environments, but also domains such as logging, security, and marketing. Within AWS, Workbase uses VPCs, security groups, network access control lists, and subnets to further isolate services.

Intrusion detection and prevention

Workbase maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. Workbase has also enabled detailed audit trails with critical service providers like Google Workspace, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior.

Organizational security

Security training

All new hires are required to attend the security awareness training as part of their on-boarding. And all employees are required to attend the regular security awareness trainings.

Asset inventory

Workbase maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to Workbase customer data is provided on an explicit need-to-know basis and follows the principle of least privilege. Customer data is audited and monitored by the security team. Workbase support and customer employees are only granted access after explicit approval of the respective customer. All Workbase employees have signed a non-disclosure agreement.

Security incident management

The security team at Workbase aggregates logs and audit trails from various sources at a central location and uses tools to analyze, monitor and flag anomalous or suspicious activity. Workbase's internal processes define how alerts are triaged, investigated, and, if needed, escalated. Both customers and non-customers are encouraged to disclose any potential security weaknesses or suspected incidents to Workbase Security. In case of a serious security incident, Workbase the security expertise to investigate security incidents and resolving them to closure. If needed, Workbase has access to external subject-matter experts.

Information security policies

Workbase maintains a number of information security policies that form the basis of our information security program. All Workbase employees are required to review these policies as part of their on-boarding. These security policies cover the following topics and are available to Enterprise customers upon request:

• Access control

• Change management

• Risk management

• Data classification and asset inventory management

• Incident response and management

• Network security

• Encryption and key management

• Human resources security

• Information transfer

• Secure development

• System monitoring and logging

• Vendor management

• Vulnerability management and malware protection

• Mobile device management and remote working

• Business continuity and disaster recovery
  
  

Operational security

Backups and disaster recovery

All Workbase customer data is stored redundantly at multiple AWS or Google Cloud data centers (availability zones) to ensure availability. Workbase has well-tested backup and restoration procedures in place, which allow for quick recovery in the case of single data center failures and disasters. Customer data is continuously backed up and stored off-site. The restoration of backups is fully tested every 30 days to ensure that our processes and tools work as expected.

Endpoint security

Workbase exclusively uses Apple Mac devices. These devices are all centrally managed through the internal mobile device management solution, which allow us to enforce security settings such as full disk encryption, network and application firewall, automatic updates, screen time-outs, and anti-malware solutions. In case employee devices get stolen or lost, data on these devices can be remotely wiped.

Risk management and assessment

Workbase performs a periodic risk analysis and assessment to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.

Enterprise security

Workbase Enterprise includes all our general security measures, plus additional features and enhancements to provide even more customization and privacy.

Security vulnerability disclosure

If you would like to disclose a potential security vulnerability or have security concerns about a Workbase product, please reach out to security@workbase.com. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have.