Enterprise security you can actually verify
Worksome is built for procurement teams that care about data.
We meet the standards your legal, IT, and security teams require — and we can prove it.
Security built into every layer
From infrastructure to access controls, Worksome is designed so that enterprises can deploy confidently without making exceptions to their security policy.
Hosted on AWS with an edge security layer provided by Cloudflare (DNS, WAF, and DDoS protection)
Role-based access control (RBAC), SSO/SAML 2.0 support, and mandatory MFA for all internal staff. Principle of least privilege applied across all systems.
All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Encryption keys managed via AWS KMS with annual rotation. No plaintext data leaves our boundary.
24/7 automated anomaly detection, centralised audit logging retained for 12 months, and a Security Information and Event Management (SIEM) system in place.
All sub-processors reviewed against our security standards before onboarding. Full sub-processor list available on request. Annual reassessment mandatory.
Automated daily backups with cross-availability-zone replication (Multi-AZ). DR tested annually with documented runbooks.
Worksome Intelligence
All AI-generated outputs are presented to a qualified Worksome staff member for manual validation before any action is finalized.
In accordance with Article 50 of the EU AI Act, users are explicitly notified when interacting with an AI system
Worksome Intelligence focuses strictly on administrative efficiency and document retrieval
Independent verification, not just our word
Third-party audits and internationally recognised frameworks are how we prove our security posture — not how we describe it.
SOC 2 Type II
Annual audit by : Audit Peak
Observation period: 1 January – 31 March 2026
Covers three Trust Services Categories: Security, Availability, and Confidentiality
Full report available to enterprise customers and prospects under NDA
Continuous control monitoring between audits via automated tooling
GDPR & Data Protection
EU data residency · Standard Contractual Clauses · DPA available
Data Processing Agreement (DPA) available for all customers
Data Protection Officer appointed; contact: dpo@worksome.com
Privacy by design embedded in product development lifecycle
Standard Contractual Clauses (SCCs) used for all international transfers
Retention schedules documented and enforced via automated deletion
Subject access request (SAR) process documented and tested
Independent verification, not just our word
Third-party audits and internationally recognised frameworks are how we prove our security posture — not how we describe it.
European Union
Primary region · AWS eu-west-1 (Ireland) & eu-central-1 (Frankfurt)
United Kingdom
Available post-Brexit · data remains within UK jurisdiction
United States
Available for US-based enterprise clients · AWS us-east-1
Clarity on who owns what
Enterprise procurement teams often ask how responsibilities are split.
Here's exactly how it works between Worksome and your organisation.
Fast, transparent response-every time
Enterprise procurement teams need to know exactly what happens during a security event.
Here is our committed response timeline.
Triage
Containment
Notification
Regulatory
See how Worksome secures your global workforce
Join a 1:1 walkthrough of our platform and security architecture. We’ll show you our AI guardrails, data residency controls, and how we’ve cleared reviews for the world's largest enterprises in under two weeks.
Frequently Asked Questions about Security
Worksome undergoes independent audits to maintain SOC 2 Type II compliance across the Security, Availability, and Confidentiality Trust Services Categories for our Information Security Management System (ISMS). These reports verify our operational effectiveness in security, availability, and confidentiality.
Worksome is hosted on Amazon Web Services (AWS) using a multi-Availability Zone architecture. Enterprise customers can choose their preferred data residency region, including the European Union (Ireland/Frankfurt), the United Kingdom, or the United States (Northern Virginia).
All data is encrypted at rest using AES-256 encryption with keys managed via AWS KMS. Data in transit is protected using TLS 1.2 or higher. We enforce encryption across all production environments to ensure no plaintext data leaves our secure boundary.
We maintain a documented Incident Response Plan. In the event of a confirmed personal data breach, Worksome notifies affected customers without undue delay and complies with the 72-hour regulatory notification window required by GDPR Article 33.
Yes. Worksome supports SAML 2.0 and OpenID Connect (OIDC) for enterprise-grade identity management. This allows your organization to enforce your own Multi-Factor Authentication (MFA) and password policies through providers like Okta, Azure AD, or Google Workspace.
All third-party sub-processors undergo a rigorous security and privacy impact assessment before onboarding. We maintain a transparent Sub-processor List and enter into Data Processing Agreements (DPAs) with all vendors to ensure they meet our strict security standards.
We perform continuous automated vulnerability scanning and conduct penetration testing at least annually, performed by an independent third-party security firm. Any identified vulnerabilities are triaged and remediated according to our internal security patching policy.
We employ a "Human-in-the-Loop" workflow where all AI-generated outputs are manually reviewed by qualified staff before finalization to prevent autonomous decision-making errors.
Yes. We adhere to Article 50 of the EU AI Act by providing explicit user notifications and requiring acknowledgment before users interact with our AI systems
Didn't find your answer? Ask Worksome
Sourcing, compliance, payments, classification.
Get straight answers about your external workforce, instantly.