Maximize security and privacy.
Workiva utilizes numerous measures to ensure the utmost in data security and privacy.
Committed to Compliance.
Compliance Certifications and Memberships
|SOC 1 Type II||
SOC Reports demonstrate and verify that Workiva implements consistent and dependable security measures and controls as a host and processor of our customers' data.
To meet specific customer year end requirements Workiva provides SOC 1 reports with varying control periods.
|SOC 2 Type II||Workiva SOC 2 Type II also covers HIPAA controls; is unqualified with a reporting period from November through October.|
Workiva is ISO/IEC 27001:2013 certified.
Under the Federal Risk and Authorization Management Program, Workiva has achieved FedRAMP Moderate.
|HIPAA||Workiva enables covered companies subject to the Health Insurance Portability and Accountability Act of 1996 in the United States (HIPAA) to use Workiva's cloud productivity platform to mitigate risk, improve productivity, and give users confidence in data-driven decisions.|
|Cloud Security Alliance||
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
Customer data is stored in secure facilities, on secure servers, and within secure applications. Workiva office locations have no data centers or access to data centers. Workiva maintains appropriate security personnel for the facilities. Workiva office locations are restricted access facilities with appropriate door access. Badge access is required to enter and exit the building, with additional access required to secure areas. Visitors are required to sign in, sign a confidentiality agreement, and be escorted in secure access areas. Cameras monitor the office locations. Restricted areas have additional controls including secure document handling, screen protection to mitigate shoulder surfing, and additional badge access. Rooms that store telecommunication and network equipment are kept locked, and alarmed.
Workiva has partnered with Google and Amazon for infrastructure and cloud services. Workiva runs on Google App Engine (GAE) commonly referred to as PaaS (Platform as a Service). Workiva utilizes Amazons Web Services (AWS) for IaaS (Infrastructure as a Service).
|Data Hosting Location||To ensure compliance for our customers' data; Workiva Platform offers three different data physical storage locations. Data center locations in Asia Pacific, North America and Europe.|
|Dedicated Security Team||Workiva has a security program and dedicated team with a CISO.|
|Network Vulnerability Scanning||Workiva utilizes various internal security tools to perform weekly internal network vulnerability scans against all production environments. Additionally, external networks scans are performed using open source tooling as a routine part of our third-party penetration tests.|
|Third-Party Penetration Tests||In addition to our internal testing, Workiva engages a third-party security firm to perform vulnerability and penetration testing twice a year.|
|Security Incident Event Management||Workiva utilizes security information and event management (SIEM tool). Workiva’s Information Security Team reviews logs and alerts for performance and security considerations including logs relating to authentication, endpoint, web application, and more.|
|Intrusion Detection and Prevention||Workiva deploys Next Generation AV to all user endpoints and Windows infrastructure to provide active threat protection against known and emerging threats. Additionally, Cloud Security Posture Management and Cloud Workload Protection tools are deployed across the application infrastructure to provide host based intrusion detection. The Workiva Platform leverages logging capabilities and supporting systems to monitor for potential threats. Within the application, customers can review the logs and set up alerts to be emailed if certain activities occur, such as a failed login attempt or if a document has been downloaded or exported.|
|DDoS Mitigation||Workiva leverages a Web Application Firewall (WAF) to perform ingress filtering at the network boundary and prevents direct access to internal resources through the use of private, Virtual Private Clouds (VPCs). Additionally, solutions are used to provide Distributed Denial of Service (DDoS) protection for all applications running in the cloud environment.|
|Security Incident Response||Workiva has an established Incident Response Policy, standard and procedures which outlines actions, notification, and steps for remediation in the event of any type of incident beyond normal business operations. This plan is tested annually for security events.|
|Encryption in Transit||Workiva uses TLS versions 1.2 and 1.3 with digital certificate identification. In addition Workiva platform utilizes HTTP Strict Transport Security (HSTS) for further protection.|
|Encryption at Rest||All Workiva Platform data is stored encrypted with Advanced Encryption Standard (AES) 256-bit algorithm.|
|Uptime||Workiva provides status through our website https://status.workiva.com/. Through our SLA within contracts Workiva commits to a 99.5% uptime.|
|Redundancy||Workiva relies on multiple data centers and office locations to provide operational redundancy. We ensure reliability by distributing and replicating data across our multiple systems in case of failure at any single point.|
|Disaster Recovery||The Workiva Platform includes high availability through our redundant infrastructure.|
|Secure Code Training||Workiva has mandatory security education training for anyone with access to Workiva systems. Training is required at the initial time of access and on an annual basis thereafter. Training includes policies, standards, confidentiality and privacy, physical security, system security, acceptable use, social engineering and other items.|
|Framework Security Controls||Workiva leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.|
Workiva's detailed change control process dictated by the Information Security Policy applies to all changes to the environment, including configuration, operating system, and application updates. New versions of Wdesk, or updates designated for release, are moved from the development environment and staged within a mirrored production environment where our Quality Assurance Team performs rigorous system, integration, regression, and acceptance testing. This environment is also where ongoing penetration testing and vulnerability scanning is performed.
Security is part of all phases of product development. Code pertaining to session management, access control, APIs that perform cross-platform calls, authentication, input validation, output encoding, secure transmission, audit logging, file uploads, XSS/CSRF protection, or encryption/hashing has security review either by the InfoSec team or developers trained and authorized in security review. Code changes and additions are tracked, reviewed, and approved by security production release. The Information Security Team utilizes OWASP Top 10 among other industry standards for secure coding.
Great care is taken during the design and prototyping phases of any feature set to identify architecture and implementation that may require security consideration. New feature sets requiring security consideration are subject to code review and approval prior to production release.
|Separate Environments||Development and Testing environments are separated from the Production environment. Additionally, segregation of duties principles are implemented throughout Workiva to enforce checks and balances and minimize risk.|
|Dynamic Vulnerability Scanning||Workiva has configured a Dynamic Application Security Testing (DAST) tool to perform regularly scheduled dynamic vulnerability scanning. In addition to automated scanning, Workiva performs security testing as a part of the SDLC release process.|
|Static Code Analysis||Workiva has configured a Static Application Security Testing (SAST) tool to perform regularly scheduled scans to identify potential weaknesses in application code. In addition to automated scanning, Workiva performs secure code reviews as a part of the SDLC release process.|
|Third-Party Penetration Testing||In addition to our internal security testing, Workiva engages a third-party security firm to perform vulnerability and penetration testing twice a year.|
|Responsible Disclosure / Bug Bounty Program||
Workiva leverages a bug bounty platform, which maintains a curated set of active professional security researchers who provide continuous security coverage of the Workiva Platform. Workiva also maintains a security.txt page to direct interested external parties on responsible disclosure.
User access is governed by a membership into an Organization, and then memberships into Workspaces, where content is stored and managed. Additionally, content can be permissioned to both an individual, or to a workspace group. Through our administration application, customers can self-administer usernames, passwords, and password policies.
Authentication features within the platform also include:
|Configurable Password Policy||
The Workiva platform has a minimum standard of sixteen characters with no restrictions on special numbers or special characters. We added a new password meter to show strength of user password. This meter is not enforced on our side. We also now check passwords against publicly known breached passwords. These changes were made to align more closely with OWASP Application Security Verification Standard 4.0.
|Multifactor Authentication (MFA)||The Workiva platform multi-factor authentication will take place via email. After setting new password, users will receive an email with a 6-digit code. Users will be required to supply the 6-digit code back to Workiva to complete the login flow. We have plans to re-introduce time-based one-time passwords (TOTP) through apps such as Google Authenticator, Microsoft Authenticator, Duo Authenticator, or Okta Verify.|
|Role-Based Access Controls||
Within the Workiva platform, role assignments can be utilized to gatekeep access to features and functionality. Every member of a workspace has a role, each with its own level of access to features. Based on the solution set for a workspace, you’ll have access to different roles.
Feature Specific Roles:
The Workiva platform administrative application contains logic that allows customers to manager users through security settings for authentication and a granular permission system for access to data.
Workiva recommends customers use Single Sign On and can integrate with a SCIM through the SAML 2.0 protocol.
Workiva also offers customers
|Email Signing (DKIM/DMARC)||The Workiva Platform signs outbound messages with DKIM, adheres to a hardfail SPF policy, and runs DMARC in reject mode. Data and attachments are never directly sent within Workiva Platform notifications. Workiva sends all notifications from a fixed set of dedicated IP addresses, and we strongly encourage customers to disable any types of message checking or filtering against messages originating from our platform.|
Human Resources Security
|Policies||Workiva has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Workiva information assets.|
|Training||Workiva has mandatory security education training for anyone with access to Workiva systems. Training is required at the initial time of access and on an annual basis thereafter. Training includes policies, standards, confidentiality and privacy, physical security, system security, acceptable use, social engineering and other items.|
|Background Checks||Workiva conducts background checks to the extent allowed by law for all employees in accordance with local laws and regulations. The background check includes a federal criminal record check, employment, education, and references verification.|
|Confidentiality Agreements||Workiva has a non-disclosure agreement with employees and third-parties with logical access to systems and/or information with the classification of Public, Private, Sensitive, and or Restricted, as outlined in the Information Classification Standard.|