Security at WorkPerfect

WorkPerfect is a vendor management system used to coordinate contingent workforce programs, vendor relationships, candidate submissions, timecards, and invoicing. The data our customers entrust to us is sensitive by definition — workforce records, billing information, and the operational decisions made on top of them. Security is therefore a property of the product itself, not a layer added on top, and this page describes how we approach it.

Authoritative compliance status, audit reports, security questionnaires, and policy evidence are published in our Trust Center. The summary below describes the controls and practices that underpin those reports.

Trust Center

Contact security@work-perfect.com for specific documents that require an NDA or for procurement questionnaires.

Compliance and attestations

Current certifications, attestations, and reports are published in the Trust Center and reflected in our Privacy Policy and Data Processing Addendum. Our practices are designed and operated with broader frameworks in mind, including SOC 2 (Security, Availability, Confidentiality), ISO 27001, GDPR, and US state privacy laws.

WorkPerfect is not designed for, and may not be used to process, data subject to industry-specific regulations such as HIPAA, GLBA, or PCI DSS unless we have separately agreed in writing. See the Terms of Service for the complete acceptable-use position.

Organizational security

Program ownership

Security is owned at the executive level and operated as a continuous program, not a project. Designated personnel are responsible for the information security program, its periodic review, and its alignment with our compliance objectives.

Personnel

• Background checks are completed for personnel with access to production systems, where permitted by law.
• All personnel are bound by written confidentiality obligations covering customer data and Confidential Information.
• Security and privacy training is delivered at hire and refreshed periodically. Role-specific training is provided to personnel handling sensitive responsibilities (engineering, support, infrastructure).
• Acceptable-use, password, and incident-reporting policies are documented and enforced.

Endpoints

• Company-managed endpoints are enrolled in mobile device management (MDM), with security configuration enforced centrally.
• Full-disk encryption and automatic screen lock are required on managed endpoints.
• Access to production systems is performed only from approved, managed endpoints.

Product and application security

Secure development lifecycle

• All production code changes go through pull-request review by a second engineer before merge.
• Branch protection rules prevent direct pushes to protected branches and require status checks to pass.
• Development, staging, and production environments are separated; engineers do not deploy code without going through the documented change-management pipeline.

Automated security checks

• Dependency scanning — Dependabot alerts and security updates are enabled on the application repository, with vulnerable dependencies flagged automatically and remediated through pull requests.
• Static application security testing — GitHub CodeQL analysis runs on the application codebase to surface code-level security issues.
• Secret scanning — GitHub secret scanning with push protection is enabled to prevent committed secrets from reaching the repository, with alerting on any historical findings.

Authentication

• Multi-factor authentication is supported for all Authorized Users, including authenticator apps and WebAuthn / passkey factors.
• Strong password requirements and protection against credential-stuffing are applied to password-based logins.
• Session lifetimes, idle timeout, and trusted-device handling are managed centrally; sessions can be revoked individually or in bulk.
• Administrative access to production systems requires multi-factor authentication.

Authorization and tenant isolation

• Role-based access control governs every action in the application; the principle of least privilege applies to provisioning.
• Tenant data is isolated at the database layer using PostgreSQL row-level security, with application-layer enforcement of tenant scope on every query.
• Audit logs capture privileged and security-sensitive actions and are retained centrally.

Penetration testing

• OWASP ZAP scans are run by our security team against authenticated and unauthenticated surfaces of the production application.
• An independent third-party penetration test has been completed against the production application; findings are tracked through to remediation. Summaries and letters of attestation are available under NDA — contact security@work-perfect.com or request from the Trust Center.

Infrastructure and network security

Hosting

• WorkPerfect runs entirely on Amazon Web Services. The primary region is us-east-1; additional regions are listed in our sub-processor list.
• We rely on AWS for the physical, environmental, and underlying infrastructure security of the data centers we operate within. AWS’s certifications and audit reports are publicly available.
• The application runs on Amazon ECS / AWS Fargate with hardened container images and read-only root filesystems.

Network

• The application, database, and management layers are segregated in private subnets; the database is not directly reachable from the internet.
• Public endpoints sit behind AWS WAF and AWS Shield with bot-control protection.
• All inbound traffic is terminated at TLS 1.2 or higher, with HTTP Strict Transport Security and modern cipher suites enforced.
• Configuration changes to the network and platform are made through Terraform with peer review; nothing is changed by hand in the AWS console as a routine practice.

Data security

Encryption

• In transit: TLS 1.2+ on every external interface; HSTS preload on the marketing site and application.
• At rest: All customer data is encrypted at rest using AWS Key Management Service (KMS). Database snapshots and backups are encrypted using KMS.
• Secrets: Application secrets are stored in AWS Secrets Manager, with access controlled by IAM and audited.

Segregation, retention, and deletion

• Customer data is segregated per tenant by row-level security and never co-mingled across customers.
• Application and security event logs are retained for up to 13 months; database backups for up to 35 days. Full retention details are in the Privacy Policy §6.
• On termination, customer data is deleted or anonymized from the production environment within 90 days, subject to backup rotation and any retention required by law. See DPA §12.

AI and customer data

WorkPerfect uses Amazon Bedrock for limited features such as translation and notification drafting. Customer data and personal information are not used to train foundation models. Per AWS’s Bedrock service terms, AWS does not use customer inputs or outputs to train its underlying models. See the sub-processor list for the complete AWS service inventory.

Vulnerability management

• Dependabot, CodeQL, and secret scanning surface vulnerabilities continuously across application dependencies, code, and committed secrets.
• Security advisories for the runtimes, libraries, and providers we depend on are monitored and acted on by the engineering on-call.
• Findings are triaged and remediated on severity-based timelines; critical issues are addressed on an emergency-patch path.
• Operating system and runtime patches are applied on a recurring cadence and out-of-cycle when material vulnerabilities are disclosed.

Logging, monitoring, and detection

• Amazon CloudWatch is the centralized backbone for application logs, infrastructure metrics, and security event collection.
• Authentication events, administrative actions, and infrastructure changes are logged with retention sufficient for forensic analysis (see Privacy Policy §6).
• Alerting is configured for authentication anomalies, error-rate spikes, infrastructure drift, and WAF events.
• An on-call rotation responds to security and availability alerts around the clock.

Incident response

• WorkPerfect maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.
• For confirmed personal data breaches affecting customer data, we notify the affected customer without undue delay and within 72 hours, in accordance with DPA §6 and Privacy Policy §8.
• Notifications include the nature of the breach, categories and approximate volume affected, likely consequences, and the measures taken or proposed to address it.
• Every significant incident is followed by a post-incident review, with action items tracked through to completion.

Business continuity and disaster recovery

• The production database is deployed across multiple AWS Availability Zones for high availability.
• Encrypted database backups are stored with off-region replication. Point-in-time recovery is available within the backup retention window.
• Restoration procedures are documented and exercised.
• Specific recovery time and recovery point objectives are made available to customers under their subscription agreements.

Vendor and sub-processor management

• Every sub-processor is reviewed for security and privacy posture before engagement.
• Each sub-processor is bound by a written agreement that imposes data protection obligations no less protective than our own commitments to customers.
• Our current sub-processor list is published at work-perfect.com/sub-processors and customers can subscribe to change notifications.
• We provide at least 30 days’ prior notice of any material sub-processor change. Customer objection rights are described in the DPA §7.

Privacy

Security and privacy are inseparable. Our handling of personal data is described in the Privacy Policy and, for processing on behalf of customers, in the Data Processing Addendum. Sub-processors that may process personal data on our behalf are listed at work-perfect.com/sub-processors.

Vulnerability disclosure policy

We welcome security research conducted in good faith. If you believe you have found a vulnerability in WorkPerfect, please report it to security@work-perfect.com.

In scope

• Production WorkPerfect application and APIs at app.work-perfect.com and related production subdomains.
• The marketing site at work-perfect.com.

Out of scope

• Denial-of-service or load-generating tests.
• Social engineering of WorkPerfect personnel, customers, or sub-processors.
• Physical attacks against WorkPerfect or its providers.
• Vulnerabilities in third-party services, libraries, or dependencies, except where they materially affect the production application.
• Automated scanning that generates significant traffic without prior coordination.
• Reports based solely on missing best-practice headers or banner-grabbing without a demonstrable security impact.

Safe harbor

We will not pursue legal action against, or request law-enforcement investigation of, researchers who:

• Make a good-faith effort to comply with this policy;
• Avoid accessing, modifying, exfiltrating, or destroying customer data beyond the minimum necessary to demonstrate the vulnerability;
• Do not publicly disclose findings before we have had a reasonable opportunity to remediate; and
• Do not violate other applicable laws.

What to include

• A clear description of the vulnerability and its impact.
• The steps required to reproduce it, including any required preconditions.
• Any proof-of-concept material, with sensitive details redacted.
• The disclosure timeline you are operating to, if any.

Our commitment

• We acknowledge receipt of reports promptly.
• We provide a triage response and severity assessment as quickly as practical, prioritized by severity and exploitability.
• We keep researchers informed of remediation progress.
• We are happy to credit reporters who wish to be named, on request.

WorkPerfect does not currently operate a paid bug bounty program.

Contact