Security and Compliance at WorkPatterns

At WorkPatterns, our top priority is the security of our customer’s data. We heavily invest in security through our written policies and our technical infrastructure. We’ve reviewed our software and policies to ensure compliance with The General Data Protection Regulation (GDPR). We also enlist the services of 3rd parties to ensure our application is secure. We undergo an annual penetration test that mimics the work of sophisticated attackers, and in July 2021, we received our SOC 2 Type II certification by the auditing firm LWBJ.
To request a copy of our SOC 2 Type II report or penetration test results please email support@workpatterns.com to sign an NDA.

Security Policies

Code Deployment

We use Github’s Branch Protection Rules to ensure that no code can be deployed without a passing review by another engineer. We also use Continuous Integration to ensure that no code is deployed unless it passes an extensive suite of automated tests. Finally all code deploys are broadcast to Slack, providing real time visibility into what was deployed and when.

Infrastructure

Our application and database servers are hosted on Heroku, a cloud application platform which runs on top of Amazon Web Services (AWS). Our application also uses AWS directly for Encryption Key Management, CDN and File Storage. Both AWS and Heroku are SOC2-certified and maintain robust security policies.

You can read more about AWS and Heroku’s security policies here:
https://aws.amazon.com/security/

https://www.heroku.com/policy/security

Encryption

WorkPatterns encrypts all communication between its servers and end users’ browsers using HTTPS.  All data in our production database is encrypted at rest with AES-256, block-level storage encryption. Highly sensitive data such as OAuth tokens is further encrypted at the application level.

Backup of Data

We create daily backups of our production database. Backups are retained for 30 days.

Passwords and Authentication

We require use of two-factor authentication to sign in to all critical internal software, including AWS and Heroku. We manage passwords to all internal software using 1Password, which enforces strong password hygiene.

Employees

All new employees must undergo a background screening before beginning employment at WorkPatterns. In addition, all employees must complete an annual cybersecurity awareness training and agree to our informational security policies. All employee laptops use hard drive encryption.

Vulnerability disclosure program

If you have identified a potential security vulnerability in our system, please report it within 24 hours by emailing security@workpatterns.com. We will respond to your report within 48 hours.