All Collections
Security, Privacy and Terms
Workstream Security Information
Workstream Security Information

Learn more about our security practices

Nicholas Freund avatar
Written by Nicholas Freund
Updated over a week ago

Our customers rely on Workstream to manage their analytics environment and associated workflows. To protect our customer’s environments, Workstream leverages best in class infrastructure, and adheres to industry best practices for security and compliance.

For detailed information about our security practices, you can view our Security Whitepaper.

If you want to get access to our SOC 2 Type 2 certification, please reach out to [email protected].

Encryption, Authentication and Resource Access

  • We only support authentication via single-sign on, and currently support Google, Microsoft and Okta (including SCIM provisioning).

  • All data is encrypted at rest and in transit using AES-256, block-level storage encryption.

  • All non-essential ports and network interfaces are blocked by default.

  • No financial or credit information is stored in any Workstream system.

  • We do not have direct access to your data warehouse, or any of your customer PIIA. We persist basic metadata from external systems (such as the url of a dashboard, or when it was created).

Source Code

  • We perform static code analysis of all production code.

  • We perform an annual third party security assessment / SOC 2 audit.

  • We perform annual penetration tests.

  • We have integration and unit tests for all critical systems.

  • All sub-dependencies have been vetted for security and performance issues.

  • All sub-dependencies are directly bundled into the Workstream application.

  • We follow strict compliance with source code licensing and open source licensing.

Key Management

Workstream maintains a strict policy for assigning and distributing keys that may access any production or development system.

  • Master keys are never distributed to employees.

  • Access keys are never stored in any version control system.

  • Access keys are never stored anywhere as plaintext.

  • Individual access keys are generated per employee with developer-only access.

Secure Workstations

  • Local encryption is enforced on all company computers, and employees are required to use password managers and two factor authentication.

  • All company computers use anti-malware and anti-virus software.

Employee Awareness

  • All Workstream employees undergo background checks, and are required to go through annual security training.

  • We follow the principle of least privilege access, and thus Workstream employees are granted granular access to resources on a need only basis.

  • All employee access to systems and sensitive data is regularly audited.

Did this answer your question?