Security

Your security is our greatest priority. This page outlines the procedures and precautions we take when handling your data.

Security

Workbasehr.com Overview

Workbasehr.com is a cloud-based human resource management application built from the ground-up to meet the specific needs of small and growing support teams. Workbasehr.com is available through any web browser whether it’s on your desktop or mobile device so support teams around the world can engage with their customers anytime, anywhere. Since Workbasehr.com is a cloud application, we handle the infrastructure to ensure that your data is safe and secure. With no headaches around installing hardware or software, companies using Workbasehr.com can focus on supporting their customers.

Workbasehr.com's Commitment to Trust

Trust is a core principle of Workbasehr.com and Workbasehr.com. We're committed to building reliable and secure systems that you can depend on for your business. And we're committed to transparency around our operations at our Trust Site so you can provide the highest level of support.

Security Framework Compliance and Auditing

Workbasehr.com leverages DigitalOcean (DO) Amazon Web Services (AWS) for our computing and storage infrastructure. AWS has achieved ISO 27001 certification and has successfully completed multiple SSAE 16 audits. For more details on DO security please refer to https://www.digitalocean.com/security/. For more detail on AWS security, please refer to http://aws.amazon.com/security/.

Physical Security of Facilities

Workbasehr.com employees do not have physical access of any kind to our production facilities, as all of our infrastructure is in the cloud at DO and AWS.

DO and AWS data centers are housed in nondescript facilities, and critical locations have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access Amazon Web Services Security data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Environmental Safeguards

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate and Temperature Control

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.

Management

Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

Network Security

We have a single production network that is used to service our customers.

The inbound firewall is configured in a default deny mode and Workbasehr.com explicitly opens ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).

The firewall is configured to permit only the absolute minimum connectivity required to provide the Workbasehr.com services. Changes to firewall access rules require Workbasehr.com’s X.509 certificate and key for authorization.

The Operations Team has the ability to change firewall rules.

Host Security

DO and AWS own the physical hardware. DO and AWS provides security groups to limit access to devices. We fully utilize security groups to limit access to our computing resources.

Our production environment is completely separate from the other environments, including development and QA.

AWS provides Identity Access Management (IAM) to control access to AWS resources. We use AWS IAM to manage separate, restrictive AWS credentials for each of our environments. This limits the AWS services available to each environment and compartmentalizes them.

We also use AWS IAM to delegate monitoring and management capabilities to operations staff and prevent destructive actions.

SSH keys are required to gain console access to our servers, in any of the environments.

Individually identifiable RSA key pairs are used for SSH access, and root login is disabled. This insures that there is a complete audit trail via sudo from a specific action back to the specific individual who triggered that action.

We adhere to strong password policies and require that all RSA private keys be encrypted with a compliant password.

Automated processes are in place on each host that monitoring for unauthorized login attempts, with the offending IP address being automatically blacklisted and an alert being generated.

The servers are built using repeatable build processes powered by Docker, which in turn keeps its configuration within a private Bitbucket repository. All changes to the production environment pass through a peer-review change management process, with all changes logged to a central ticket system.

Application Security

Encryption

We have implemented strong encryption via SSL in our application. By using encryption, we minimize the chances of someone possibly intercepting username/password combinations and/or other sensitive information.

Areas where we utilize SSL include: All application logins require SSL. Any area which requires a user to log into our system also requires that SSL is used. The administrative, agent, analytics and API interfaces all leverage and requires SSL throughout. Our customers’ sites have optional SSL access to the FAQ & Q&A Portal. This is possible for sites that use a Workbasehr.com configured subdomain or a CNAME with hosted SSL certificate.

Brute Force Attack Prevention

In order to minimize brute force login attacks, we automatically disable accounts for a five-minute period after five consecutive failed attempts have been registered. If we ever determine that this is a possible area of concern, we can easily increase the lockout period or decrease the number of consecutive failures via configuration.

Expected Points of Entry:

  • Agent Desktop (+ Admin/Analytics) Site Login
  • SSL encryption is required
  • Brute force lockout (5 attempts with 5 minute backoff)
  • XSS
  • All public Q&A forms are sanitized to prevent XSS
  • Agent email HTML view is sanitized to prevent malicious email attacks
  • CSRF
  • GET JSON Requests - Rails does not protect forgery for GET requests out of the box. As a result, we have added authenticity tokens to all sensitive Agent and Admin GET JSON requests with corresponding verification on inbound requests.
  • POST/PUT/DELETE Requests - use of Rails support for CSRF token checks for all POST/PUT/DELETE verbs
  • SQL Injection
  • We use prepared statements within Rails to avoid SQL injection issues
  • Attachment filenames
  • Attachments are saved to a generated GUID temp file before uploading to S3. This avoids issues associated with saving/overwriting files with relative file paths.
  • CIDR based IP Restriction
  • It is possible to lock various parts of the application to specific IP addresses and/or ranges for those that are on the Plus plan.

Passwords

Passwords & OAuth tokens to external services are encrypted in the database. The encryption keys are stored outside of the codebase and outside of the access from anyone without production access. Each are encrypted with a site encryption key, which is itself encrypted with a master key that we will rotate periodically.

Complex passwords with a minimum password length of 8 characters are required for all users by default.

Data Storage & Retention Policies

Data is generally stored in a MySQL Database. File attachments are stored within AWS S3. All data (other than passwords and authentication strings) is stored in clear text.

We ship specific server and application logs to a central logging server that provides both hardened log retention and a powerful search interface.

The production MySQL database is configured with high availability with data replicated to multiple, redundant instances. The database is backed up on a nightly basis with encrypted backup copies being shipped to secure off-site storage.

In addition to our usage of this data in production we also occasionally take a copy of the data and load it in our testing environments. These copies are scrubbed of any sensitive or personally-identifiable information before being used for testing or development purposes.

Incident Management Policies

All system events are logged to a central logging service, and any unusual events are flagged for review by a member of the operations team.

All user actions are logged to a secure access log which records the user information, timestamp, IP address, browser, and resource accessed. This information can later be quickly retrieved in the event that a forensic investigation is required.

We plan on always notifying our customers of security incidents as soon as it is safe and prudent to do so, and will share any relevant information to allow our customers to take the necessary actions on their side.

Access to Customer Data

Workbasehr.com staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Workbasehr.com is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Workbasehr.com staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.

Employee Screening & Policies

As a condition of employment all Workbasehr.com and Workbasehr.com, employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

Did you find a security issue? Please let us know!

Trust is a core principles of Workbasehr.com and Workbasehr.com — so your security is of utmost importance to us. We're constantly working to make sure our system is as secure as possible. If we missed something that you uncover, we are committed to verifying and fixing the issue as soon as possible. Please submit the issue to security@workbasehr.com and once we verify the issue, we'll send you a reward as a sign of our appreciation!