Compliance and Certifications
Wokflow is PCI-DSS compliant. We are held to the same rigorous security standards as your bank.
Data At Rest / Infrastructure
Passwords are hashed using PBKDF2 and salted to make rainbow table attacks more difficult. Customer data is stored in Google Cloud Platform (GCP) which is ISO 27001, SOC2 and CSA STAR compliant. Google Cloud encrypts all data at rest by default. See a full list of certifications here
Data is never sent in plaintext. All web traffic is sent over Transport Layer Security (TLS) HSTS for privacy and security. Inter-data center communication automatically encrypted in Google Cloud and encrypted inter-service communication can remain secure even if the network is tapped or a network device is compromised.
Servers are firewalled and regularly updated with the latest security patches. All code is peer-reviewed before deployment. For access controls, we follow principles of least privilege.
Infrastructure is kept as code using Terraform
, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.
All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over multiple availability zones in Google Cloud.
We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the devops team.
Security questions or issues?