Data protection. Ensure sensitive information is only accessible to authorized individuals, with encryption, access controls, and regular audits to prevent unauthorized access.
Need-to-know basis. Limit access to sensitive information to those who require it to perform their job functions.
Data accuracy. Ensure information remains accurate, complete, and consistent over its lifecycle, with checks and validation mechanisms to prevent unauthorized alterations.
Non-repudiation. Establish mechanisms that prevent entities from denying actions they have performed.
Data accessibility. Ensure information and systems are available to authorized users when needed, with minimal disruption.
Disaster recovery. Develop and maintain disaster recovery plans to quickly restore operations in the event of an outage or data loss.
Responsibility. Clearly define roles and responsibilities for security and privacy within the organization. Employees understand their obligations and the consequences of non-compliance.
Auditability. Implement logging and monitoring to ensure system actions are traceable, allowing for auditing and investigation if needed.
Open communication. Communicate clearly with customers, employees, and stakeholders about how data is collected, stored, used, and protected.
Policy disclosure. Provide access to privacy and security policies outlining practices, rights, and any third-party data sharing.
Limited data collection. Collect only the data necessary to fulfill specific purposes and avoid over-collection of data that could increase security and privacy risks.
Retention policies. Implement policies to securely dispose of data that is no longer needed.
Specific use cases. Use collected data only for specified purposes, with any deviation requiring explicit consent from the data subjects.
Consistent application. Ensure data is not repurposed or shared beyond the original intent without proper authorization.
Consent and choice. Empower users with control over their data, including the ability to provide or withdraw consent for specific uses of their data.
Data access and correction: Allow users to access, correct, and delete their personal data as required by regulations like GDPR or CCPA.
Proactive security. Integrate security considerations into the design and development of systems and processes rather than treating security as an afterthought.
Continuous improvement. Regularly update and improve security measures in response to emerging threats and vulnerabilities.
Regulatory adherence. Ensure all security and privacy practices comply with relevant laws, regulations, and industry standards, such as GDPR or PCI-DSS.
Regular audits and assessments. Conduct regular compliance audits and risk assessments to identify and address potential gaps.
Preparedness. Develop and maintain an incident response plan to quickly detect, respond to, and recover from security breaches.
Timely Notification. Establish protocols for notifying affected individuals and regulatory bodies in the event of a data breach, in accordance with legal requirements.
Fairness and respect. Use data in ways that are fair, ethical, and respectful of individual rights, and avoid practices that could harm individuals or groups.
Non-discrimination. Ensure data use doesn’t cause discrimination and bias, especially in areas like AI and machine learning.
Our multi-tenant-storage strategy means one customer per database. In addition, every customer’s database is encrypted at rest:
In the server using TDE
In the devices are encrypted using a certificate that is unique per device
To protect data in transit, WorkEasy Software uses TLS 1.2 or higher wherever data is transmitted over potentially insecure networks. Server TLS keys and certificates are deployed via Application LoadBalancers.
WorkEasy Software performs penetration testing at least annually. All areas of our software and infrastructure are in scope for these assessments.
WorkEasy Software requires vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC). Here are the vulnerabilities we scan for and how we protect against them.
Dependency scanning. We scan project dependencies for known vulnerabilities listed in public databases, like the National Vulnerability Database (NVD). We check whether any libraries or packages we’ve used have security issues.
Advisories and patches. We search for potential exploits and apply fixes or alternative versions that are more secure.
Security issues in code. We analyze source code to detect common security issues like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
Security hotspots. We identify sections of code that may require extra security review but aren't necessarily vulnerabilities. These could be areas where sensitive operations occur.
License compliance. We check for open-source licenses to ensure we comply with legal and organizational requirements.
Code smells. This detects patterns in the code that indicate deeper issues (e.g., overly complex methods, duplicated code, or poor naming conventions), which may not be immediately problematic but could lead to bugs or maintenance challenges.
Bugs. We identify potential code bugs that could cause unintended behavior, such as null pointer dereferences, logic errors, or incorrect API usage.
Technical debt. We quantify technical debt by evaluating how much effort would be required to fix problems with code quality. This helps teams prioritize refactoring efforts.
Code coverage. We integrate this with testing tools to measure how much of the code is covered by automated tests, helping ensure that critical parts of the code are tested.
We enforce quality coding standards by checking against predefined rulesets or custom rules defined by the organization, ensuring consistent and maintainable code.
All corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage.
In addition, we use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
WorkEasy Software secures remote access to internal resources using a VPN platform built on the firewall. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.
WorkEasy Software ensures that all of our team members receive security training during onboarding and annually. Additionally, every new employee participates in a mandatory live onboarding session emphasizing essential security principles.
In addition, new engineers on our teams must attend a specialized live onboarding session dedicated to secure coding principles and practices.
WorkEasy Software uses the OAuth2 protocol to secure our identity and access management. We enforce the use of phishing-resistant authentication factors, using 2FA wherever possible.
WorkEasy Software employees are granted access to applications based only on their role and are automatically de-provisioned upon termination of their employment.
Learn what the media is saying about WorkEasy Software and service.