Last updated: Apr 8, 2015
Workato is committed to providing a secure, reliable and highly available service.
Workato is committed to maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type I audit with a 3rd-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.
More information on SOC 2 reports can be found here.
Workato servers are hosted on Heroku , an application platform that in turn uses services provided by Amazon Web Services (AWS) . Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
Workato servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
Workato services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Workato uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Workato servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Workato, based on role and business need.
Access to databases used in the Workato service is over an encrypted link (TLS).
While recipes are public by default and can be browsed and copied, customer data associated with a recipe is not public and not viewable by other users.
Workato stores transaction related data only to enable customers to have better insight and control over their transactions and in cases where transactions take a long time to finish. Specifically, Workato stores transaction data to support transaction logging, testing and debugging, re-running transactions, and in support of long running transactions. All transaction data is always encrypted in transit and when stored in Workato's platform. Workato stores transaction data in Salesforce Heroku and Google cloud.
Clients login to Workato using a password which is known only to them. Clients are required to have reasonably strong passwords. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Connections to remote systems are done only over secure (HTTPS) connections.
Workato developers have been trained in secure coding practices. Workato application architecture includes mitigation measures for common security flaws such as the OWASP Top 10 . The Workato application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.