Last updated on: 12th January 2025.
At Workway, security is not just a feature — it’s the foundation. We deliver a complete suite of HRM, Finance, Project, and Client Management tools for modern businesses, and protecting your data is our highest priority. This page details how we secure our platform, infrastructure, and your trust.
Overview
Our security strategy involves the following components
- Organizational security
- Physical security
- Infrastructure security
- Data security
- Identity and access control
- Operational security
- Incident management
- Responsible disclosures
- Vendor management
- Customer controls for security
Organizational security
Workway maintains a robust Information Security Management System (ISMS) that defines our security goals, risk management plans, and continuous improvement processes. Our policies and procedures address:
Data confidentiality, integrity, and availability, Employee access management,
Threat identification and mitigation, Continuous compliance with industry standards
We ensure that all stakeholders, from employees to partners, align with our strict
security commitments.
Employee Background Checks
We take the trust you place in us seriously.
Every employee undergoes a thorough background verification by third-party professional agencies.
We verify:
Criminal history, Previous employment records, Educational qualifications
Until background checks are completed, employees are restricted from accessing sensitive customer data or critical systems.
Security Awareness Training
Security is everyone’s responsibility at Workway.
All new hires must sign a confidentiality agreement and acceptable use polic
before joining. Employees receive mandatory training on information security, privacy standards, and compliance. We conduct periodic security quizzes, role-specific security workshops, and ongoing training sessions. Our internal knowledge community and regular security events keep everyone updated on emerging threats and best practices.
We believe that an aware workforce is the first line of defense.
Dedicated Security and Privacy Teams
Workway has specialized teams dedicated solely to:
Managing and enhancing security and privacy programs, Engineering defense systems
Conducting vulnerability assessments and threat detection, Providing consulting to product teams to integrate security into the development lifecycle
Our security teams proactively monitor and respond to any unusual activity across
all systems.
Internal Audit and Compliance
Our dedicated compliance team ensures that all processes align with industry standards.
Regular internal audits across all departments, Facilitation of third-party independent audits and certifications, Gap assessments and improvements for compliance with ISO, GDPR, and other global standards
We don’t just meet standards — we strive to exceed them.
Physical security
Security at Workplaces
We control access to our offices, infrastructure, and facilities using role-based access cards. Employees, contractors, vendors, and visitors are issued specific access cards that allow entry only to areas they are authorized for. The HR team maintains and updates access roles according to job functions. Access logs are maintained and regularly reviewed to detect and address any anomalies in physical access.
This ensures that only authorized personnel can access sensitive environments.
Security at Data Centers
Workway’s servers and storage are hosted with leading co-location providers, who handle: Building security, Cooling systems, Power supply, Basic physical protection.
Meanwhile, we ensure:
Access to data centers is restricted strictly to a small group of authorized personnel.
Additional two-factor authentication (2FA) and biometric authentication are mandatory for entry. Access is granted only via formal ticket requests and manager approvals.
Access logs, activity records, and CCTV footage are maintained to investigate any incident if necessary.
Data centers are among the most tightly controlled areas at Workway.
Monitoring and Surveillance
All Workway business centers and data centers are monitored 24/7 via CCTV cameras installed as per local regulations. Footage backups are maintained for a defined period depending on regulatory and operational needs. Continuous monitoring helps us detect and respond to physical security incidents promptly.
Every movement is monitored for complete accountability.
Infrastructure Security
Network Security
Workway’s network is protected through multiple layers of defense:
Firewalls prevent unauthorized access and undesirable traffic into our network. Network segmentation isolates sensitive production systems from testing and development environments. Daily firewall change reviews by network engineers ensure no unauthorized changes are missed. Comprehensive monitoring by a dedicated Network Operations Center (NOC) team tracks traffic, alerts anomalies, and ensures uptime.
Every critical system and parameter is continuously watched using proprietary monitoring tools.
DDoS Prevention
Workway’s network is protected through multiple layers of defense:
We use trusted DDoS protection services to mitigate any distributed denial-of-service (DDoS) attacks. Network segmentation isolates sensitive production systems from testing and development environments. Comprehensive monitoring by a dedicated Network Operations Center (NOC) team tracks traffic, alerts anomalies, and ensures uptime.
Every critical system and parameter is continuously watched using proprietary monitoring tools.
Server Hardening
All development and production servers undergo strict hardening processes:
Disabling unused ports, Removing default passwords, Enforcing secure OS configurations. A pre-hardened base operating system image is deployed across all servers to maintain consistency and eliminate vulnerabilities.
Every server is hardened to resist attacks — before it goes live.
Intrusion Detection and Prevention
Host-based and network-based intrusion detection systems monitor our infrastructure continuously. Privileged command usage, system calls, and administrative access on all production servers are logged and analyzed. Our proprietary Web Application Firewall (WAF) at the application layer operates using whitelist and blacklist rules.
At ISP level, we deploy multi-layered security: Scrubbing centers, Network routing optimization, Rate limiting, Filtering malicious traffic.
We proactively detect and stop any suspicious behavior long before it becomes a threat.
Data security
Secure by Design
Every change and feature introduced in Workway follows a strict Change Management Policy to ensure: All application changes are authorized before implementation into production. Our Secure Software Development Life Cycle (SDLC) mandates: Adherence to secure coding practices. Automatic code analysis using vulnerability scanners and code analyzers. Manual code reviews to detect potential security risks.
Security and privacy are integrated at every stage of our SDLC.
Additionally, our application layer is protected by a robust security framework based on OWASP standards to prevent: SQL Injection, Cross-Site Scripting (XSS), Application Layer Denial of Service (DoS) attacks
Data Isolation
At Workway: Each customer’s service data is logically isolated using secure protocols. Your service data is never mixed with another customer’s data. Data is distributed securely across our cloud infrastructure. You own your data — Workway will never share your service data with any third party without your consent.
Encryption
In Transit All customer data transmitted over public networks is protected with Transport Layer Security TLS 1.2/1.3) using strong ciphers. TLS encryption is mandatory for: Web access, API access, Mobile app access, Email protocols (IMAP/POP/SMTP)
We use Perfect Forward Secrecy (PFS) to ensure past communications remain secure, even if future keys are compromised. HTTP Strict Transport Security (HSTS) is enforced, ensuring browsers only use encrypted connections to our servers. All authentication cookies are flagged as Secure, adding another layer of protection.
At Rest, Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES-256). We manage encryption keys internally through a dedicated Key Management Service (KMS). Data encryption keys and master keys are separated and stored on different servers with restricted access. Encryption methods fully comply with NIST (National Institute of Standards and Technology) recommendations.
Data retention and disposal
We retain the data in your Workway account as long as you actively use our services. If you choose to terminate your account: Your data will be deleted from our active databases during the next scheduled clean-up, which occurs once every six months. Data removed from active databases will be fully deleted from backup storage within an additional three months. You always have the option to export and back up your data before account termination.
For unpaid accounts that remain inactive for a continuous period of 120 days, Workway reserves the right to terminate the account. Before termination, users will receive prior notice and an opportunity to back up their data. We ensure you are informed and given control over your data retention decisions.
Identity and Access Control at Workway
Single Sign-On (SSO)
Workway offers Single Sign-On (SSO), allowing users to access multiple Workway services with a single set of credentials. All sign-ins across Workway services are handled through our integrated Identity and Access Management (IAM) system.
We support SAML-based SSO, enabling seamless integration with your company’s identity providers like LDAP, Active Directory Federation Services (ADFS), and others.
SSO simplifies the login process, enhances compliance, enforces effective access controls, improves login reporting, and significantly reduces risks associated with password fatigue and weak credentials.
Multi-Factor Authentication (MFA)
Workway provides an additional layer of security with Multi-Factor Authentication (MFA).
After entering their password, users must provide a second form of verification.
Supported MFA options include:
Biometric verification (Touch ID, Face ID)
Push notifications
QR code authentication
Time-based One-Time Passwords (TOTP)
Workway also supports hardware security keys such as Yubikey for enhanced authentication security.
MFA dramatically reduces the risk of unauthorized access even if user credentials are compromised.
Administrative Access Controls
At Workway, internal employee access to user data is strictly controlled and governed by strong technical policies.
We apply the Principle of Least Privilege (PoLP) and Role-Based Access Control (RBAC) to minimize unnecessary access.
Access to production environments is:
Managed centrally through a secured directory.
Authenticated using strong passwords, two-factor authentication, and
passphrase-protected SSH keys.
Routed through separate hardened networks with stricter access policies.
All administrative activities are logged and audited regularly to ensure accountability and detect any unauthorized access attempts.
Data retention and disposal
We retain the data in your Workway account as long as you actively use our services. If you choose to terminate your account: Your data will be deleted from our active databases during the next scheduled clean-up, which occurs once every six months. Data removed from active databases will be fully deleted from backup storage within an additional three months. You always have the option to export and back up your data before account termination.
For unpaid accounts that remain inactive for a continuous period of 120 days, Workway reserves the right to terminate the account. Before termination, users will receive prior notice and an opportunity to back up their data. We ensure you are informed and given control over your data retention decisions.
Operational security
Logging and Monitoring
We monitor and analyze internal network traffic, device usage, and service activity across our systems.
Logs collected include:
Event logs
Audit logs
Fault logs
Administrator and Operator logs
All logs are stored securely on isolated servers, ensuring centralized access control and data integrity. We continuously monitor these logs to identify: Unusual employee activity
Unauthorized access attempts to customer data, We use file integrity monitoring to track changes to sensitive files.
Vulnerability Management
All user files are scanned by Workway’s automated anti-malware system to detect and prevent malware threats. Our custom-built anti-malware engine receives continuous updates from external threat intelligence sources. We use machine learning algorithms to detect new malicious patterns and protect customer data.
Malware and Spam Protection
All user files are scanned by Workway’s automated anti-malware system to detect and prevent malware threats. Our custom-built anti-malware engine receives continuous updates from external threat intelligence sources. We use machine learning algorithms to detect new malicious patterns and protect customer data.
Workway supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent email spoofing and phishing. We combine SPF, DKIM, and proprietary detection engines to detect abuse, phishing, and spam across our ecosystem. A dedicated anti-spam team monitors signals from our systems and handles abuse complaints proactively.
Backup and Data Recovery
We perform incremental database backups daily and full backups weekly.
All backups are: Encrypted using AES-256 encryption, Stored in tar.gz format in secure locations, Backup data is retained for three months. In case of data loss, customers can request data recovery within the retention period. Recovery time depends on data size and complexity. Backup integrity is ensured using: Redundant Array of Independent Disks (RAID), Automated integrity and validation checks
Backup processes are scheduled, tracked, and immediately re-run in case of any failure.
Disaster Recovery and Business Continuity
Application data is stored on resilient storage that replicates across primary and secondary data centers. Real-time replication ensures that, in case of failure at the primary DC, the secondary DC takes over with minimal downtime. Both primary and secondary data centers are equipped with: Multiple Internet Service Providers (ISPs), Power backup systems, Temperature control, Fire prevention systems
Workway conducts regular Disaster Recovery (DR) drills to ensure rapid failover readiness. Business continuity planning covers critical operations like support services and infrastructure management to ensure resilience even in the face of unexpected events.
Incident Management
Reporting
Workway maintains a dedicated Incident Management Team to handle security, privacy, and operational incidents.
If an incident occurs that affects you, we will: Notify you promptly along with recommended actions you may need to take, Track and close the incident with appropriate corrective actions. Provide evidence related to the incident (such as application and audit logs) whenever applicable. Transparency and corrective action are key parts of our response strategy.
How We Communicate About Incidents
Security or privacy incidents reported by customers are prioritized and responded to urgently via our official communication channels. For general incidents: Notifications are posted via our official blogs, forums, and social media channels. For incidents specific to an individual user or organization: We send direct notifications via email to the primary registered email address of the organization’s administrator. Customers are kept fully informed, based on the nature and scope of the incident.
Breach Notification
If Workway acts as a data controller, we promptly notify the relevant Data Protection Authority in accordance with the timeline specified by applicable regional laws. We adhere to all global compliance obligations and prioritize swift communication in case of a breach.
Responsible Disclosures
Vulnerability Reporting Program
Workway runs a Vulnerability Reporting Program that encourages security researchers to report potential vulnerabilities responsibly.
We are committed to:
Verifying and reproducing reported issues
Responding promptly to researchers
Implementing appropriate fixes based on severity
Contributions that help improve our platform’s security are recognized and rewarded where applicable.
Vendor Evaluation and Management
Workway evaluates and qualifies vendors through a defined Vendor Management Policy. Before onboarding any new vendor, We Understand their service delivery processes, Perform detailed risk assessments, Verify their operational security practices, We establish binding agreements requiring vendors to uphold the same confidentiality, availability, and integrity commitments we provide to our customers.
Periodic reviews and audits of vendor controls are conducted to ensure ongoing compliance with our security standards.
Customer Controls for Security
What Customers Can Do:
- Use strong, unique passwords and keep them confidential.
- Enable Multi-Factor Authentication (MFA) to add an extra layer of protection.
- Keep browsers, mobile apps, and operating systems updated to use the latest security patches and features.
- Be cautious when sharing data externally from Workway’s cloud environment.
- Classify and label sensitive information properly within your environment.
- Monitor active web sessions and linked devices for any suspicious activity.
- Review third-party app integrations regularly and manage access permissions appropriately.
- Stay alert for phishing attempts or suspicious emails impersonating trusted services.
Awareness, vigilance, and good security hygiene are critical parts of maintaining a secure Workway experience.
Shared Responsibility
Security in the cloud is a shared responsibility between Workway and our customers:
Workway provides the secure infrastructure, application security, and operational protections.
Customers protect their individual accounts, access, and data management practices.
Together, we create a secure, trusted, and resilient environment.
Conclusion
The security of your data is your fundamental right — and a never-ending mission for
Workway. We are committed to working tirelessly to protect your information, today and
every day, as we continue to evolve and strengthen our defenses.
For any further questions or concerns about our security practices, please refer to our
FAQs or reach out to us at: