workwrk
Security

Built for the
security review.

SOC 2 Type II + ISO 27001 + GDPR + DPDP. Encryption end-to-end. SSO + SCIM. Audit log on everything. Pen-tested annually. Designed to pass your CISO's review on the first pass.

Request SOC 2 reportView trust portal

SOC 2 Type II

ISO 27001

GDPR

DPDP (India)

HIPAA-ready

PCI-DSS

Six pillars

How we keep your data safe.

Encryption end-to-end

AES-256 at rest. TLS 1.3 in transit. Customer-managed keys (CMK) on Scale via AWS KMS.

SSO + SCIM

SAML SSO with Okta, Azure AD, Google, OneLogin, Auth0. SCIM auto-provisioning + deprovisioning.

Data residency

EU, India, or US. Pinned at workspace creation; honored for storage, AI, and backups.

Audit log

Every read, write, export, share — logged with user, time, IP, device. Tamper-evident; exportable to your SIEM.

Infrastructure

AWS-hosted across 3 regions. Multi-AZ. 99.95% uptime SLA on Scale. Pen-tested annually by Cure53.

Bug bounty

HackerOne private program. Critical findings paid up to $20,000. Public PGP for vuln disclosure.

Vulnerability disclosure

Found a bug?

We run a private HackerOne program. Critical findings paid up to $20,000. Public PGP key for direct reports. Acknowledged within 24h, triaged within 72h.

Email: security@workwrk.com

PGP key: /security.asc

HackerOne: Private program (invite via email)

Bounty tiers

  • Critical

    $10,000 – $20,000

    RCE, auth bypass, mass data exposure

  • High

    $3,000 – $7,500

    Privilege escalation, IDOR, stored XSS

  • Medium

    $750 – $2,500

    Reflected XSS, CSRF on sensitive actions

  • Low

    $150 – $500

    Self-XSS, minor leaks, edge config issues

Security FAQ

Common security questions.

Still curious? Chat with the team.

Can I sign a BAA / DPA / MSA?
Yes — Standard DPA available on Growth+. HIPAA BAA, custom MSAs, and SOC 2 ToA available on Scale. Request via security@workwrk.com.
How long do you retain customer data?
Live for the contract duration. 30 days after termination unless you request earlier deletion. Backups retained 90 days then purged.
Sub-processors?
AWS (infra), Stripe (billing), Sentry (errors), Datadog (monitoring), Anthropic (AI). Full list and DPAs at /security/subprocessors. 30-day notice for additions.
Can I run workwrk in my own AWS / GCP?
Yes — VPC deployment available on Scale ($50k+/yr add-on). Fully isolated from our multi-tenant infra; you control keys, network, and access.
Penetration testing?
Annual pen tests by Cure53. Letter of attestation available; full report on Scale with NDA.
Incident response?
PagerDuty-rotated 24/7. SLA: critical breach notification within 4 hours to all affected customers. Public post-mortems within 30 days.

Bringing workwrk through security review?

Ask for our SOC 2 report, ISO 27001 cert, and DPA template — usually one email.

Email security@workwrk.com Trust portal