Workato Security Overview

Last updated: May 1, 2018

Workato is committed to providing a highly secure and reliable integration service. This includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. To achieve this we use proven, tested, best-in-class security tools, technologies, practices and procedures.

SOC 2 Type 2 audited

Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 audit with a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.

More information on SOC 2 reports can be found here.

PCI

Workato uses PCI Compliant Level 1 audited payment processor Stripe for processing credit card payments for the Workato services.

Hosting Environment and Physical Security

Workato is hosted on public cloud infrastructure from Amazon Web Services (AWS) and Google Cloud Platform and Heroku, which runs on AWS. Both Amazon and Google servers and databases run on servers in secure data centers and have a broad set of certifications.

You can read further about AWS, Google and Heroku security and certifications here:
aws.amazon.com/security/
cloud.google.com/security/
www.heroku.com/policy/security

Network Security

All information is encrypted in transit and at rest.

Workato services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Workato follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.

For on-premise systems, access requires the installation of a on premises agent behind the firewall. All communication between Workato and the on premises agent is over an encrypted link (TLS 1.2).

Administrative access to Workato servers is over VPN or other secure protocols. Administrative access is granted only to select employees of Workato, based on role and business need. Multi-factor authentication is required for access.

Workato uses a multi-tier architecture that segregates internal application systems from the public Internet. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized secure logging system.

Application access to databases used in the Workato service is over an encrypted link (TLS).

Application Development

Workato has a comprehensive software development lifecycle process that incorporates the Security STRIDE model as well as design and code reviews, unit and integration testing.

All applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.

Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.

Regular security tests are conducted, including the use of scanning and fuzzing tools to check for vulnerabilities. Workato also undergoes periodic penetration testing by a qualified 3rd-party firm.

Data Privacy

Workato has a privacy policy, which details the steps we take to protect clients’ information. You can view the privacy policy here: www.workato.com/legal/privacy-policy.

Authentication

Clients login to Workato using a password which is known only to them. Password length and complexity standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.

Workato supports automatic session logout after a period of time. Enterprises can set the appropriate timeout period according to their security needs.

When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.

Connections to remote systems are done only over secure (HTTPS) connections.

Workato also supports integration with Single Sign-on Systems using SAML such as Okta and OneLogin. Customers can use SSO for authentication into Workato as well as application connections for recipes. These systems can be configured to require Multi-factor Authentication as well as other security features.

Transaction Data Retention and At-Rest Protection

Workato stores transaction related data only to enable customers to have better insight and control over their transactions and in cases where transactions take a long time to finish. Specifically, Workato stores transaction data to support transaction logging, testing and debugging, re-running transactions, and in support of long running transactions. All transaction data is always encrypted in transit and when stored in Workato's platform. Workato stores transaction data on the Google cloud.

Customers have control over the retention period of the transaction data. In addition Workato provides the ability to mask out sensitive data in the transaction logs for additional security.

High Availability

Workato ensures continuous availability of its service and protects against the risk of disruptions by implementing a Business Continuity and Disaster Recovery program. This includes continuous backup to a standby database.

Our Organization

All employees are subject to background checks that cover education, employment and criminal history. Employment at Workato requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Workato maintains an information security training program.

Knowledgeable full-time security personnel are on staff.

Incident Response

While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.

In the event of a breach of a Workato information system, we have a detailed Incident Response Plan in place, and there is periodic testing of the response plan.

Workato has 24x7 monitoring of the security status of its systems and automated alerts for security and performance issues.