Workato is committed to providing a highly secure and reliable integration and business automation service. This includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. To achieve this we use proven, tested, best-in-class security tools, technologies, practices and procedures.
SOC 2 Type 2 audited
Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 audit with a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.
More information on SOC 2 reports can be found here.
Workato uses PCI Compliant Level 1 audited payment processor Stripe for processing credit card payments for the Workato services.
Hosting Environment and Physical Security
Workato is hosted on public cloud infrastructure from Amazon Web Services (AWS) and Google Cloud Platform . Both Amazon and Google maintain high standards of security for their data centers. You can read further about AWS and Google security here:
The Workato website is only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Workato follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.
Workato also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP and FTPS are also supported. For on-premise systems, access requires the installation of an on premises agent behind the firewall, which communicates outbound to Workato over an encrypted link, using TLS 1.2.
Workato uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the website passes through a Web Application Firewall (WAF) and then is routed to interior systems running on private subnets. Interior as well as exterior network traffic uses secure, encrypted protocols. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized secure logging system.
Clients login to Workato using a password which is known only to them. Password length, complexity and expiration standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
Workato users can optionally configure their accounts to use Two-Factor Authentication, by means of an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy.
Workato supports integration with 3rd party SAML compliant SSO systems. This allows an enterprise to manage access to Workato as well as other enterprise applications and apply custom authentication schemes and policies.
Workato also supports Single Sign-On using 3rd-party credentials including Google and Microsoft Office 365.
Workato supports automatic session logout after a period of time. Enterprises can set the appropriate timeout period according to their security needs.
When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Application Development and Testing
Workato has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.
Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten Web application vulnerabilities.
Workato undergoes an annual penetration test of the website by a qualified third party. In addition, regular internal vulnerability scans are conducted.
Transaction Data Retention and At-Rest Protection
All data stored in the Workato system is encrypted at rest.
Workato stores transaction related data for a limited period of time, in order to provide visibility into system activity, facilitate testing and debugging, allow re-running failed transactions, and to support long running transactions. All transaction data is always encrypted in transit and when stored in Workato's platform. Workato stores transaction data in Google Cloud.
Customers have control over the retention period of the transaction data. In addition, Workato provides the ability to mask out sensitive data in the transaction logs for additional security.
Workato has implemented a Business Continuity and Disaster Recovery program. This program includes not just measures to insure the high availability of Workato’s IT assets, but also contingency planning for natural disasters and other possible disruptions. IT measures used to insure high availability include running Workato services in multiple redundant cloud Availability Zones and replication of the application database to a standby system.
Current system status and recent uptime statistics are continuously available at status.workato.com.
Workato has deployed a variety of security and monitoring tools for its production systems. There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security and performance issues.
While we don't anticipate there ever being a breach of our systems, Workato has put in place a Security Incident Response Plan, which details roles, responsibilities and procedures in case of an actual or suspected security incident.
All employees are subject to background checks that cover education, employment and criminal history. Employment at Workato requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
Workato maintains an information security training program that is mandatory for all employees.
Knowledgeable full-time security personnel are on staff.