Worklio Security Exceeds Industry Standards

Security

Security is an essential part of doing business in the online world and it is the foundation for the Worklio platform and day-to-day operations.

Worklio is a Software as a Service (SaaS) that was built on the latest Microsoft framework for web applications. It is designed specifically for the Microsoft Azure cloud — not an on-premises system that was installed in a virtual machine and called a “cloud”. Each instance is separated to protect each PEO company and its clients.

Worklio uses Microsoft Azure DevOps for code management and task management. It is the same system that Microsoft uses to protect Windows, Office and related software. The platform was designed from scratch to use all of the advantages of the Microsoft Azure Cloud, including the built-in security features. It is the latest technology to protect you and your data. In the worst case scenario, there are several options for a fast recovery because source codes and data are stored separately.

The Worklio team is highly skilled with years of experience in different areas of contemporary technology, including an email portal that has had millions of users and the antispyware app Spyware terminator that has been downloaded 400 million times.

Worklio maintains a system of continuous monitoring that exceeds the industry standard for security: 24x7, both in-house and from multiple independent locations.

Annually, Worklio renews its ISO 27001 certification for information security management and ISO 9001 certification for quality management. A comprehensive supervisory audit verified compliance in January 2021.

Source-code-level Security

All builds and releases are run on dedicated computers with full automation. All source-code changes are logged and can be traced from/to build and released versions, and to each developer. Source code flows through three phases: Test > Staging > Production. All hotfixes are reviewed by senior developers through pull requests. Everything is covered with the same security that Microsoft uses to protect its own source code for Windows and Office.

Encryption

Worklio uses PCI-grade TLS-transfer encryption (HTTPS); the server is connected to customers with TLS 1.2 communication encryption. Azure SQL Transparent Data Encryption and Column Level Encryption are used for sensitive information (e.g., SSN, account numbers). Data is secured with multi-layered encryption with AES-256 and RSA 2048 bit keys, the highest standard available. Encryption keys are stored in an Azure Key Vault secure location and separate from connected data.

The Worklio platform is hosted in a cloud infrastructure that is secured at an off-site location.

All PEO environments are isolated so a problem in one does not affect others.

Firewall — Worklio uses a web application firewall that supports IPS and DDoS protection. IP restrictions and firewall controls are at all database endpoints.

Ongoing Monitoring

Worklio maintains a system of continuous monitoring that exceeds the industry standard for security: 24x7, both in-house and from multiple independent locations. Third-party cybersecurity firms are used for security testing, scans and threat detection. There are regular reviews of the platform and the server environment, focusing on all levels of operation.

Open Web Application Security Project (OWASP) practices are followed for secure development procedures and to prevent most known attacks, including XSS, SQL injection and other types.

Worklio plans to hire an outside firm to do penetration testing in 2021 Q2.

There are regular reviews of the platform and the server environment, focusing on all levels of operation.

Access

Worklio has a layered system of access rights built into the platform to restrict the number of people who have access to client and employee information. All changes made by anyone on the platform – by administrators, employees and clients – are logged in an audit system so that all access and data alterations are available.

IP restrictions, two-factor authentication and a strong password policy are built into the Worklio platform and all are highly recommended to be activated by clients.

Access Restrictions for Worklio Personnel

Worklio personnel – programmers, developers and support – have limited and controlled access. The build environment and the deployment of releases is handled only by Azure DevOps so no attacker can modify or inject malicious code into production binaries. Azure PaaS is used as the production environment to guarantee the latest server patches and the latest version for runtime frameworks. Development uses only the most recent supported version of .NET Core, and no obsolete environments.

All employees are subject to significant background checks and vetting to maintain a high level of integrity.

Data

Worklio handles all data with care to maintain high standards and best practices, including certification attested to by HIPPA, PCI DSS and ISO 27001. Data is backed up regularly and stored in multiple secure locations throughout the United States. Night backups are retained for seven days. Point-in-time restore allows for the re-establishment of the database state to any minute in the preceding 35 days. The Worklio system and data span numerous physical locations, with N+1 or greater redundancy to establish resilience for all components.

Quality Management

ISO 27001 and ISO 9001 audits verify Worklio security and quality management every year. The most recent comprehensive supervisory audit was completed in January 2021.

Worklio is also in the process of obtaining SOC 2 certification to further ensure the secure management and protection of data.

Azure Uptime Guarantee

Worklio servers are hosted in the cloud by Microsoft Azure. The Azure Cloud has an uptime guarantee of 99.95%. The long-time average based on our Service Level Agreement conditions, which excludes non-office hours when releases are made, is 99.99%.