Workato is committed to providing a highly secure and reliable integration service using proven, tested, best-in-class technologies, practices and procedures.
SOC 2 Type 2 audited
Workato is committed to maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 audit with a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.
More information on SOC 2 reports can be found here.
Hosting and Physical Security
Workato servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
Isolation of Services
Workato servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
Workato services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Workato follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.
Workato servers may also allow SSH access (protected by TLS and private key authentication) for administration. Administrative access is granted only to select employees of Workato, based on role and business need.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Application access to databases used in the Workato service is over an encrypted link (TLS).
While recipes are public by default and can be browsed and copied, customer data associated with a recipe is not public and not viewable by other users.
Clients login to Workato using a password which is known only to them. Clients are required to have reasonably strong passwords. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Connections to remote systems are done only over secure (HTTPS) connections.
Transaction Data Retention and At-Rest Protection
Workato stores transaction related data only to enable customers to have better insight and control over their transactions and in cases where transactions take a long time to finish. Specifically, Workato stores transaction data to support transaction logging, testing and debugging, re-running transactions, and in support of long running transactions. All transaction data is always encrypted in transit and when stored in Workato's platform. Workato stores transaction data in Salesforce Heroku and Google cloud.
See the Workato Business Continuity and Disaster Recovery Program for information on how Workato ensures continuous availability of its service and protects against the risk of disruptions.
Development and Testing Process
Workato developers have been trained in secure coding practices. Workato application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Workato application uses industry standard, high-strength algorithms including AES and bcrypt. Regular security tests are conducted, including the use of scanning and fuzzing tools to check for vulnerabilities. Workato also undergoes periodic penetration testing by a qualified 3rd-party firm.