Top

Workable security and data privacy

Follow

Workable is a robust and secure software application. The security and performance of Workable is our number one priority and customers can use Workable in confidence that we maintain the highest standards and best practices.

Workable is deployed on Heroku (a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world) and Amazon Web Services (AWS). Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the AWS technology. AWS’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Read more about Heroku’s security and security at AWS.

SSL & Encryption

All traffic between our clients and Workable servers is encrypted through SSL. SSL certificates are created by using RSA and DSA based ciphers. We adhere to the recommended security policies provided by Amazon ELB. For more information please refer to the official page of AWS ELB security policies. We also use HSTS policy to protect Workable against protocol downgrade attacks and cookie hijacking.

Passwords

Passwords are stored hashed and never logged, stored or transmitted as plain text.

ISO 27001:2013 

Workable is ISO 27001 certified. Our recruiting software and operating environment meet with the highest worldwide security and data protection standards. Independent accreditation is measured through regular audits. Internally, ongoing cyber-security training reinforces the robust protection provided by our software and systems.

Backup process and data retention policy

Heroku automates the backup process and we keep full daily backups of Workable data for the last 50 days. Heroku also maintains a transaction log of the last 7 days. Find out more about Heroku’s data safety and continuous protection.

Disaster Recovery

Heroku utilizes disaster recovery facilities that are geographically remote from their primary data centers in the event production facilities at the primary data centers were rendered unavailable. Workable also has a hot-standby follower database should the primary database be inaccessible for any reason.

Access control

Only authorized Workable employees are given access to the resources that are required for their role, following the principle of least privilege. Authentication to access these resources is always password-based and login credentials are always transmitted encrypted, over https.

Credit card data

Credit card information is encrypted on the client using our payment gateway, Braintree. Workable does not store Credit Card data. All credit card information is stored on Braintree which is is a validated Level 1 PCI DSS Compliant Service Provider.

External security testing

We work with HackerOne to test Workable for vulnerabilities and ensure any faults are identified as quickly as possible. HackerOne works with many other security conscious companies like GM, Spotify, Starbucks and airbnb.

3rd Party Access to Data

You data is safe with Workable, we don’t sell data to any 3rd parties.

Uptime

We guarantee 99.8% uptime averaged over one month (excluding scheduled maintenance).

Scheduled Maintenance

We are continuously updating Workable to provide an excellent product and experience for our users. Most updates take place with no downtime at all. In cases where some downtime is required we keep it to an absolute minimum, typically between 10 to 20 minutes. Any scheduled downtime is announced at least one business day in advance and is scheduled during off-peak hours, typically Sunday evenings. All incidents and scheduled downtime are announced on our Status Page where users can subscribe for live email or SMS updates.

EU Data Protection

In October 2015 the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement. Safe Harbor was the agreement that governed the way US companies handled personal information from, and on behalf of, their European customers.

Workable is a UK registered company with a subsidiary in the US; we take security and data protection very seriously. As a result of this ruling, we’ve updated the steps we take to comply with both EU and US laws. These steps are outlined below:

  • Workable is a UK registered company with a subsidiary in the US
  • Workable customer data is stored with Amazon Web Services (AWS) in the US
  • Workable and AWS have signed a Data Processing Agreement that incorporates a model clauses contract. This contract includes a standard set of provisions defined and approved by the European Commission to ensure that your personal data can be transferred securely by Workable in Europe to AWS in the US.
  • In addition, Workable’s US subsidiary has signed a model clauses contract with Workable’s UK entity, allowing data to pass with full protection between Europe and the US.

This means that Workable can transfer personal data to the United States, in compliance with the Data Protection directive of the EU.