Workable is a robust and secure software application. The security and performance of Workable is our number one priority and customers can use Workable in confidence that we maintain the highest standards and best practices.
Workable is deployed on Heroku (a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world) and Amazon Web Services (AWS). Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the AWS technology. AWS’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
SSL & Encryption
All traffic between our clients and Workable servers is encrypted through SSL. SSL certificates are created by using RSA and DSA based ciphers. We adhere to the recommended security policies provided by Amazon ELB. For more information please refer to the official page of AWS ELB security policies. We also use HSTS policy to protect Workable against protocol downgrade attacks and cookie hijacking.
Passwords are stored hashed and never logged, stored or transmitted as plain text.
Workable is ISO 27001 certified. Our recruiting software and operating environment meet with the highest worldwide security and data protection standards. Independent accreditation is measured through regular audits. Internally, ongoing cyber-security training reinforces the robust protection provided by our software and systems.
Backup process and data retention policy
Heroku automates the backup process and we keep full daily backups of Workable data for the last 50 days. Heroku also maintains a transaction log of the last 7 days. Find out more about Heroku’s data safety and continuous protection.
Heroku utilizes disaster recovery facilities that are geographically remote from their primary data centers in the event production facilities at the primary data centers were rendered unavailable. Workable also has a hot-standby follower database should the primary database be inaccessible for any reason.
Only authorized Workable employees are given access to the resources that are required for their role, following the principle of least privilege. Authentication to access these resources is always password-based and login credentials are always transmitted encrypted, over https.
Credit card data
Credit card information is encrypted on the client using our payment gateway, Braintree. Workable does not store Credit Card data. All credit card information is stored on Braintree which is is a validated Level 1 PCI DSS Compliant Service Provider.
External security testing
We work with HackerOne to test Workable for vulnerabilities and ensure any faults are identified as quickly as possible. HackerOne works with many other security conscious companies like GM, Spotify, Starbucks and airbnb.
3rd Party Access to Data
You data is safe with Workable, we don’t sell data to any 3rd parties.
We guarantee 99.8% uptime averaged over one month (excluding scheduled maintenance).
We are continuously updating Workable to provide an excellent product and experience for our users. Most updates take place with no downtime at all. In cases where some downtime is required we keep it to an absolute minimum, typically between 10 to 20 minutes. Any scheduled downtime is announced at least one business day in advance and is scheduled during off-peak hours, typically Sunday evenings. All incidents and scheduled downtime are announced on our Status Page where users can subscribe for live email or SMS updates.
EU Data Protection
Companies in the EU can use Workable with confidence. Workable adheres to all the necessary data protection regulations. Now that Safe Harbor has been declared invalid by the ECJ, we’ve implemented model clauses between our UK subsidiary and US subsidiary. Furthermore, the AWS Data Processing Agreement includes the model clauses.
Workable is a GDPR compliant partner, with tools and features that will help your organization towards their own GDPR compliance.