Workato Security Overview

Last updated: September, 2019

Workato is committed to providing a highly secure and reliable integration and business automation service. This includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. To achieve this we use proven, tested, best-in-class security tools, technologies, practices and procedures.

SOC 2 Type 2 audited

Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 audit with a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.

More information on SOC 2 reports can be found here.

PCI

Workato uses PCI Compliant Level 1 audited payment processor Stripe for processing credit card payments for the Workato services.

Hosting Environment and Physical Security

Workato is hosted on public cloud infrastructure from Amazon Web Services (AWS) and Google Cloud Platform . Both Amazon and Google maintain high standards of security for their data centers. You can read further about AWS and Google security here:

aws.amazon.com/security/
cloud.google.com/security/

Network Security

The Workato platform encrypts all customer data both in transit and at rest.

The Workato website is only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Workato follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.

Workato also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP and FTPS are also supported. For on-premise systems, access requires the installation of an on premises agent behind the firewall, which communicates outbound to Workato over an encrypted link, using TLS 1.2.

Administrative access to Workato servers is over VPN or other secure protocols. Administrative access is granted only to select employees of Workato, based on role and business need. Multi-factor authentication is required for access. Administrative actions are logged.

Workato uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the website passes through a Web Application Firewall (WAF) and then is routed to interior systems running on private subnets. Interior as well as exterior network traffic uses secure, encrypted protocols. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized secure logging system.

Authentication

Clients login to Workato using a password which is known only to them. Password length, complexity and expiration standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.

Workato users can optionally configure their accounts to use Two-Factor Authentication, by means of an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy.

Besides login using a Workato password, Workato also supports Single Sign-On using 3rd-party credentials including Google and Microsoft Office 365. Alternatively, it is possible to use SAML to integrate with an external directory system.

Workato supports automatic session logout after a period of time. Enterprises can set the appropriate timeout period according to their security needs.

When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.

Application Development and Testing

Workato has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.

Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten. Web application vulnerabilities.

Workato undergoes an annual penetration test of the website by a qualified third party. In addition, regular internal vulnerability scans are conducted.

Data Privacy

Workato has a public privacy policy, which details the types of personal information we collect, our handling of this information, and our customers’ privacy rights.

Transaction Data Retention and At-Rest Protection

Workato stores transaction related data for a limited period of time, in order to provide visibility into system activity, facilitate testing and debugging, allow re-running failed transactions, and to support long running transactions. All transaction data is always encrypted in transit and when stored in Workato's platform. Workato stores transaction data in Google Cloud.

Customers have control over the retention period of the transaction data. In addition, Workato provides the ability to mask out sensitive data in the transaction logs for additional security.

High Availability

Workato has implemented a Business Continuity and Disaster Recovery program. This program includes not just measures to insure the high availability of Workato’s IT assets, but also contingency planning for natural disasters and other possible disruptions. IT measures used to insure high availability include running Workato services in multiple redundant cloud Availability Zones and replication of the application database to a standby system.

Current system status and recent uptime statistics are continuously available at status.workato.com.

Incident Response

While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.

In the event of a breach of a Workato information system, we have a detailed Incident Response Plan in place, and there is periodic testing of the response plan.

Workato has deployed a variety of security and monitoring tools for its production systems, including anti-virus, file integrity monitoring, intrusion detection, and threat detection software.
There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security and performance issues.

Our Organization

All employees are subject to background checks that cover education, employment and criminal history. Employment at Workato requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Workato maintains an information security training program that is mandatory for all employees.

Knowledgeable full-time security personnel are on staff.