WorkMax Security


Data Center and Physical Facilities

Server Infrastructure - WorkMax servers are hosted at ISO 27002, NIST, SP 800-53, COBIT (Control Objectives for Information and related Technology), and CSA-CCM (Cloud Security Alliance-Cloud Control Matrix) compliant facilities. Our facilities feature 24-hour manned security, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices are constantly monitored by both WorkMax and the co-location providers. Access is strictly limited to key personal on need-to-know basis.

Content Delivery Network (CDN) - WorkMax provides the most advanced CDN technology available. Intelligent technology routing you to our closest data center world-wide, content optimization, and smart caching assuring that your content loads blazing fast.

Network

Security Team - Our Security Team is on call 24x7x365 to respond to security alerts and events.

Protection - Our network is protected by multiple layers of firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and network intrusion detection/prevention technologies (IDS/IPS) that monitor and block malicious traffic and network attacks.

Architecture - Our network security architecture consists of multiple security zones of trust. More sensitive systems, like our database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally, between the different zones of trust.

Network Vulnerability Scanning - Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Incident Management System - A incident management system gathers extensive logs from important network devices and hosts systems. The Security team is immediately notified with the event details. The Security team responds to these events.

Intrusion Detection and Prevention - Major application data flow ingress and egress points are monitored with Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats. This includes 24x7x365 system monitoring.

Risk Management Assessment and Procedures - WorkMax participates in frequent risk management assessments. As a team, we will determine any potiential risks, and take the appropriate action to mitigate the risk.

DDoS Mitigation - WorkMax understands the importance of being protect from Distributed Denial of Service (DDoS) attacks. We have multiple systems in place to mitigate Distributed Denial of Service (DDoS) attacks.

Logical Access - Access to the WorkMax Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the WorkMax Production Network are required to use multiple factors of authentication.

Security Incident Response - In case of a system alert, events are escalated to the appropriate team, 24x7x365. Our employees are trained on security incident procedures, including the correct communication avenue to resolve all issues most efficiently.

Encryption and Availability

Encryption in Transit - Communications between you and WorkMax servers are encrypted via industry best practices.

Secure Socket Layer (SSL) and Transport Layer Security (TLS):

- Issued by DigiCert SHA2 RSA Secure Server CA

- 2048-bit signatures and provides up to 256-bit encryption key for data transfer

- 99.9% Browser Recognition

Uptime - WorkMax maintains a publicly available system-status webpage that includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Disaster Recovery - Our disaster recovery program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing.

Advanced Disaster Recovery - With advanced disaster recovery, the entire system is replicated in a secondary site to support taking over the service if the primary site becomes fully unavailable.

Application

Security Training - At least annually, engineers participate in secure code training. This training covers OWASP Top 10 security flaws, common attack vectors, and WorkMax security controls.

Quality Assurance - Our QA department reviews and tests our code base. Several dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments - Testing and staging environments are separated physically and logically from the production environment. No actual customer data is used in the development or test environments.

Dynamic Vulnerability Scanning - We employ a number of third-party, qualified security tools to continuously scan our application. WorkMax is scanned frequently against the OWASP Top 10 security flaws. Our in-house product security team tests and works with the engineers to remediate any discovered issues.

Static Code Analysis - Our source code repositories, for both our platform and mobile applications, are continuously scanned for security issues.

Security Penetration Testing - WorkMax employs in-house and third-party security experts to perform granular penetration tests.

Product

Authentication Options For admins/users:

- Password Secured

- Role-base Access

Configurable Access Policies - WorkMax allows you to set granular user and group access policies. Only approved users can modify these policies.

Secure Credential Storage - WorkMax follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure.....

API Security & Authentication - WorkMax API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported.

Transmission Security - All communications with WorkMax servers are encrypted using industry standard HTTPS. This ensures that all traffic between you and WorkMax is secure during transit.

Device Approval and Tracking - WorkMax tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow-up if the activity seems suspicious.

Additional

Policies - WorkMax has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to WorkMax information assets.

Training - All new employees attend a Security Awareness Training, and the Security Team provides security awareness updates via email, blog posts, and in presentations during internal events.

Proactive Versus Reactive - WorkMax is dedicated to providing the best experience to our customers in all areas. Our approach of strongly investing in being proactive allows us to achieve this goal.

Confidentiality Agreements - All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.