Security
Worksavi places the security and confidentiality of our customer’s data in the highest regard and employ the following measures of protection.
Securing your Data
All our customer data is hosted on Amazon AWS infrastructure. With AWS, our customers will gain the control and confidence needed to securely run their businesses with the most flexible and secure cloud computing environment available today.
Our customers will benefit from AWS data centres and a network architected to protect their information, identities, applications, and devices. That infrastructure will improve their ability to meet core security and compliance requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.
WorkSavi have full control of your data stored with us and who can access it.
Data Centre Security
AWS employ a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.
Application Level Security
- Robust Authentication system
WorkSavi use a robust user authentication process by using “providers” and “guards” to facilitate the authentication process. The purpose of “guards” is to authenticate users for each request they make, while “providers” facilitates to retrieve back the users from the database.
- Reduce Vulnerabilities From CSRF (Cross Site Request Forgery)
WorkSavi application typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Application security vulnerabilities.
- SQL Injection
WorkSavi Application Eloquent ORM uses PDO binding that protects from SQL injections. This feature ensures that no client could modify the intent of the SQL queries.
Security in the Software Development Lifecycle
WorkSavi uses the git revision control system. Changes to code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein WorkSavi employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Our engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.
Monitor and Backup
Every time you update anything in WorkSavi, your input is encrypted and backed up to multiple data centre availability zones. This means that all data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Redundant hosting means you get instant access, no matter where you are. Our systems are engineered to stay up even if multiple servers fail.
WorkSavi have access to data and actionable insights to monitor our Infrastructures.
- Respond to system wide performance changes
- Optimise resource utilisation
- Get a unified view of operational health
WorkSavi fully managed backup service that makes it easy to centralise and automate the backup of data across all Platforms and infrastructure.
- Daily backup and retained for 30 days
- Configure backup policies
- monitory backup activity
- Encrypt backup
Monitor | Modify | Restore
Every interaction you have with WorkSavi is encrypted via HTTPS. This means that whenever your data is in transit between you and us, everything is encrypted, and sent securely. Any files which you upload to us are stored and are encrypted at rest. Any project data (i.e., comments, tasks, and allocations) are encrypted at the database level using AES 256 encryption. Our backups of your data are also encrypted using AES 256.
WorkSavi cyber security best practices and security policies
Worksavi employees are aligned with the security practices and follow inhouse rules as below;
- Firewall
- Physical Security Precautions
- Email Threats
- 2FA – Two-Factor authentication system
- SSH Access only to Servers
- Enforce safe password practices
- Install anti-malware software
- Unsecured Devices
In June WorkSavi had a Well-Architected Framework Review (WAFR) by an external AWS Approved Consultancy. Findings were highlighted and recommendations were implemented. We hold regular reviews of our Architecture and infrastructure covering;
- Operational Excellence
- Security
- Reliability and back-up
- Performance Efficiency
- Cost Optimisation
Stripe Payment
WorkSavi uses Stripe’s products to power payments for all online transactions.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we make use of best-in-class security tools and practices to maintain a high level of security at Stripe.
Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard.
- Stripe.js is served only over TLS
- Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection
Stripe regularly audit the details of our implementation: the certificates they serve, the certificate authorities used, and the ciphers they support. Stripe use HSTS to ensure browsers interact with Stripe only over HTTPS.
Encryption of sensitive data and communication
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
GDPR – General Data Protection Regulation
Compliance with and to international law and regulations are very important to us. The GDPR (General Data Protection Regulation) is an essential piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. We fully support the GDPR and you can read more in our Privacy Policy.