Security

WorkflowMAX is committed to security and focused on keeping your data and your credentials safe. We use industry-leading security practices to secure your data.

Hosting and Physical Security

WorkflowMAX is hosted in a secure Amazon Web Services (AWS) cloud environment, in an Australian data centre. AWS works hard to provide customers the best security and protection for their data, and security is built right into their platform.

AWS servers are housed in secure data centre, with access strictly controlled and limited to authorised personnel. AWS is committed to best security practices and compliance with a broad range of standards to meet national, regional, and industry-specific requirements. AWS complies with various security standards, including but not limited to:

• SOC 1, SOC 2, and SOC 3 Reports: These reports cover controls at AWS that may be relevant to customers’ financial reporting processes, operational procedures, and compliance.
• ISO 27001: A widely recognised international security management standard that specifies security management best practices and comprehensive security controls.
• ISO 27017: A cloud-specific security control standard that provides guidelines on information security controls for cloud services.
• ISO 27018: A standard that focuses on protecting personal data in the cloud, emphasising the privacy aspects of cloud computing for cloud service providers.

Compliance and Privacy

To keep your data secure and private, WorkflowMAX stores users' private data encrypted using AES 256-bit encryption. Encryption keys are unique for every user and our employees don't have access to them and cannot decrypt users' most sensitive data. Only the lead system administrators have administrative access to WorkflowMAX virtual machines and databases servers.

WorkflowMAX complies with the European Union's Global Data Protection Regulation (GDPR). AWS has in place a comprehensive Data Processing Addendum that adheres to the GDPR requirements, including the Standard Contractual Clauses (2010/87/EU, also known as Model Clauses). These clauses provide a solid framework for transferring personal data outside the European Economic Area in a manner that's compliant with the GDPR.  

When our customers' personal data is transferred from the EU to Australia while using our services, the AWS Data Processing Addendum applies. This means that WorkflowMAX, alongside its customers, operates on AWS infrastructure in full compliance with GDPR. The AWS Data Processing Addendum is integrated within the AWS Service Terms and takes effect automatically to the extent that the GDPR is applicable to the processing of personal data.

Billing & Payment Data

WorkflowMAX is committed to maintaining the highest standards of payment security. We have partnered with Stripe, a leading online payment processing platform known for its advanced security measures and compliance with the most stringent industry standards – including:

• PCI DSS Compliance: Stripe is certified as a PCI Service Provider Level 1, the highest level of certification available in the payments industry. This certification ensures that Stripe adheres to the stringent requirements for managing credit card data.
• SOC 1 and SOC 2 Reports: These reports cover controls at Stripe that may be relevant to customers’ billing/payment data, operational procedures, and compliance.
• Secure Payment Processing: Stripe handles all aspects of payment processing, including card storage, directly on their secure servers. This means that no payment information is ever handled or stored by WorkflowMAX , ensuring that your payment details remain confidential and secure.
• Advanced Security Features: Stripe employs state-of-the-art security measures to protect against fraud and unauthorised transactions. This includes the use of secure encryption protocols for transmitting payment information and continuous monitoring for suspicious activity.
• Privacy Protection: Stripe is committed to protecting your privacy and personal information. For more detailed information on how Stripe manages and safeguards user data, you are encouraged to review Stripe’s Privacy Policy.

Retention and Deletion of User Data

WorkflowMAX maintains a definitive policy for the retention and deletion of user data, ensuring alignment with industry standards and regulatory requirements. Our commitment extends to safeguarding personal information and upholding our users' rights to data privacy.

In adherence to our principle of data minimisation, user data will only be retained as long as an account is in good financial standing. Data deletion is an integral aspect of our data management process. Upon a user's request, or 12 Imonths after an account becomes financially inactive, all personal data associated with that account will undergo a secure deletion process.  

Backups

WorkflowMAX employs a thorough backup strategy to prevent data loss and ensure business continuity. Our backups are performed regularly and are encrypted using AES 256-bit encryption to secure data at rest. Backup data is stored in multiple geographically dispersed data centres provided by AWS to ensure redundancy and availability.  

Network Security

WorkflowMax is securely hosted within an AWS Virtual Private Cloud (VPC). The VPC provides a logically isolated section of the AWS Cloud where all the virtual machines running the WorkflowMAX service are safeguarded by robust firewall and routing rules. We ensure that only the ports essential for the operation of WorkflowMAX are open, providing a secure environment for our application.

Access to WorkflowMAX is exclusively available through HTTPS, employing Transport Layer Security (TLS) 1.3 for end-to-end encryption in transit. This advanced protocol ensures the use of modern cryptographic techniques, including the X25519 key exchange algorithm, which offers improved security and performance, and AES_128_GCM for symmetric encryption, which provides a high level of security and efficiency.

Vulnerability Scans

To maintain a strong security posture, WorkflowMAX conducts vulnerability scans of our infrastructure and application. We use industry-leading tools to proactively identify and remediate potential security weaknesses. The results of these scans inform our ongoing security strategy and are part of our commitment to continuous improvement in protecting our clients' data.

Integration Authentication

WorkflowMAX securely integrates with data sources using OAuth 2.0, avoiding the need to store your credentials on our servers. OAuth access can be revoked at your discretion. All corresponding tokens are encrypted with AES-256, ensuring the security of your data across all integrations.

Authentication

WorkflowMAX can be accessed securely using a username and password. Passwords must meet complexity criteria, including a minimum length, the use of upper and lower-case letters, numbers, and special characters.  We utilise a robust hashing mechanism to secure passwords — instead of storing actual passwords, we store only secure hashes on our servers, ensuring the safety of your credentials. For enhanced security, multi-factor authentication (MFA) is mandatory when integrated with accounting platforms and can be optionally enabled for users whose account is not integrated with an accounting platform.

Development Process

Our commitment to security and privacy starts from the inception of the application development lifecycle. In the initial phase of gathering requirements, security and privacy considerations are ingrained. By doing so, we establish a robust foundation for the application's security posture from day one.

Our dedicated Quality Assurance (QA) team is pivotal in safeguarding the integrity of our releases. They conduct comprehensive functional testing within isolated test environments, ensuring that each iteration of our product meets our high standards for quality and security. Following deployment, we carry out smoke testing in the production environment to verify the successful integration of new releases.

The architecture of our development pipeline features a strict separation between testing, staging, and production environments, both physically and logically. This segregation ensures that the live service data remains uncompromised and secure. The development and test environments operate exclusively on sanitised datasets that simulate real-world scenarios without exposing actual user data, thus preserving the confidentiality and integrity of our service data.

Company Policies

WorkflowMAX developers are experienced and trained for secure coding, and WorkflowMAX's code includes measures for minimising and mitigating security risks and breaches. WorkflowMAX team regularly conducts automated security tests and checks for vulnerabilities.

Additional Resources

Terms of Use

Privacy Policy

Data Processing Addendum

Questions?

Contact support@workflowmax.com  

‍