Security & Trust

Enterprise security you can actually verify

Worksome is built for procurement teams that care about data.

We meet the standards your legal, IT, and security teams require — and we can prove it.

SOC 2 Type II
Certified [mm/yyyy]

GDPR COMPLIANt
EU data residency available

How we protect your data

Security built into every layer

From infrastructure to access controls, Worksome is designed so that enterprises can deploy confidently without making exceptions to their security policy.

Infrastructure Security

Hosted on AWS with an edge security layer provided by Cloudflare (DNS, WAF, and DDoS protection)

Access Controls

Role-based access control (RBAC),
SSO/SAML 2.0 support, and mandatory
MFA for all internal staff. Principle of least
privilege applied across all systems.

Data Encryption

All data encrypted at rest (AES-256) and
in transit (TLS 1.2+). Encryption keys
managed via AWS KMS with annual
rotation. No plaintext data leaves our
boundary.

Monitoring & Logging

24/7 automated anomaly detection, centralised audit logging retained for 12 months, and a Security Information and Event Management (SIEM) system in place.

Vendor Management

All sub-processors reviewed against our security standards before onboarding. Full sub-processor list available on request. Annual reassessment mandatory.

Business Continuity

RTO of 4 hours, RPO of 1 hour.
Automated daily backups with cross-
region replication. DR tested twice per
year with documented runbooks.

Worksome Intelligence

Human-in-the-Loop Verification:

All AI-generated outputs are presented to a qualified Worksome staff member for manual validation before any action is finalized.

User Transparency & Consent:

In accordance with Article 50 of the EU AI Act, users are explicitly notified when interacting with an AI system

Ethical Scope & Safety:

Worksome Intelligence focuses strictly on administrative efficiency and document retrieval

Certifications & Audits

Independent verification, not just our word

Third-party audits and internationally recognised frameworks are how we prove our security posture — not how we describe it.

SOC 2 Type II

Annual audit by [Auditor Name]

Valid through [Month Year]

Covers all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy

Type II report covers a rolling 12-month observation period

Full report available to enterprise customers and prospects under NDA

Continuous control monitoring between audits via automated tooling

GDPR & Data Protection

EU data residency · Standard Contractual Clauses · DPA available

Data Processing Agreement (DPA) available for all customers

Data Protection Officer appointed; contact: dpo@worksome.com

Privacy by design embedded in product development lifecycle

Standard Contractual Clauses (SCCs) used for all international transfers

Standard CRetention schedules documented and enforced via automated deletionontractual Clauses (SCCs) used for all international transfers

Subject access request (SAR) process documented and tested

Certifications & Audits

Independent verification, not just our word

Third-party audits and internationally recognised frameworks are how we prove our security posture — not how we describe it.

European Union

Primary region · AWS eu-west-1 (Ireland) & eu- central-1 (Frankfurt)

United Kingdom

Available post-Brexit · data remains within UK jurisdiction

United States

Available for US-based enterprise clients · AWS us-east-1

Shared Responsibility

Clarity on who owns what

Enterprise procurement teams often ask how responsibilities are split.

Here's exactly how it works between Worksome and your organisation.

Responsibility area	Owner	Detail
Infrastructure & Cloud security	SHARED	Physical security managed by AWS; security configuration, edge security (Cloudflare WAF/DDoS), and application layer managed by Worksome.
Application security & patching	WORKSOME	SDLC policy, code review, dependency scanning, quarterly pen tests.
Encryption at rest and in transit	WORKSOME	AES-256 at rest; TLS 1.2+ in transit; no customer action required.
User access to your Worksome account	YOUR ORGANIZATION	Your admin team controls who gets access and at what role level.
SSO / identity provider integration	SHARED	Worksome supports SAML 2.0; your team configures the IdP connection.
Freelancer data quality & accuracy	YOUR ORGANIZATION	Data entered by your team or freelancers remains your responsibility under GDPR.
Incident notification	WORKSOME	We notify affected customers within 24 hours of a confirmed incident, per GDPR.
DPIA / internal privacy reviews	YOUR ORGANIZATION	We provide supporting documentation; your DPO conducts the DPIA.
AI Decision Validation	SHARED	Worksome staff manually validate AI outputs in the backoffice, while your users provide final judgment on results for business decisions.

Security contact: security@worksome.com

Responsible disclosure: security@worksome.com

Incident Response:

Fast, transparent response-every time

Enterprise procurement teams need to know exactly what happens during a security event.

Here is our committed response timeline.

<35 Minutes

Triage

Automated alerts trigger immediate triage by our on-call security team. We maintain a 35-minute average response time for all critical system alerts, 24/7/365.

≤ 4 Hours

Containment

Affected systems are isolated and initial containment measures are applied within four hours of a confirmed incident to prevent further impact

<24 Hours

Notification

We provide direct email notification to affected customers within 24 hours of incident confirmation, including all available facts and recommended next steps

72 Hours

Regulatory

We meet the strict 72-hour window for notifying relevant supervisory authorities (such as the ICO) where required under GDPR Article 33.

See how Worksome secures your global workforce

Join a 1:1 walkthrough of our platform and security architecture. We’ll show you our AI guardrails, data residency controls, and how we’ve cleared reviews for the world's largest enterprises in under two weeks.

Book a demo

Frequently Asked Questions about Security

What certifications and audits does Worksome maintain?

Worksome undergoes annual independent audits to maintain SOC 2 Type II compliance across all five Trust Service Criteria for our Information Security Management System (ISMS). These reports verify our operational effectiveness in security, availability, and data privacy.

Where is customer data stored and hosted?

Worksome is hosted on Amazon Web Services (AWS) using a multi-Availability Zone architecture. Enterprise customers can choose their preferred data residency region, including the European Union (Ireland/Frankfurt), the United Kingdom, or the United States (Northern Virginia).

How does Worksome protect data in transit and at rest?

All data is encrypted at rest using AES-256 encryption with keys managed via AWS KMS. Data in transit is protected using TLS 1.2 or higher. We enforce encryption across all production environments to ensure no plaintext data leaves our secure boundary.

How does Worksome handle security incidents and notifications?

We maintain a documented Incident Response Plan. In the event of a confirmed personal data breach, Worksome notifies affected customers without undue delay and complies with the 72-hour regulatory notification window required by GDPR Article 33.

Does Worksome support Single Sign-On (SSO)?

Yes. Worksome supports SAML 2.0 and OpenID Connect (OIDC) for enterprise-grade identity management. This allows your organization to enforce your own Multi-Factor Authentication (MFA) and password policies through providers like Okta, Azure AD, or Google Workspace.

How are sub-processors vetted and managed?

All third-party sub-processors undergo a rigorous security and privacy impact assessment before onboarding. We maintain a transparent Sub-processor List and enter into Data Processing Agreements (DPAs) with all vendors to ensure they meet our strict security standards.

How is the platform tested for vulnerabilities?

We perform continuous automated vulnerability scanning and conduct quarterly penetration tests performed by accredited third-party security firms. Any identified vulnerabilities are triaged and remediated according to our internal security patching policy

How does Worksome ensure AI outputs are accurate?

We employ a "Human-in-the-Loop" workflow where all AI-generated outputs are manually reviewed by qualified staff before finalization to prevent autonomous decision-making errors.

Is Worksome Intelligence compliant with the EU AI Act?

Yes. We adhere to Article 50 of the EU AI Act by providing explicit user notifications and requiring acknowledgment before users interact with our AI systems

EOR Services by Country

Learn how Worksome manages local compliance, taxes, and benefits across the world’s most popular hiring hubs.

Hire in the US

Scale across state lines without the overhead. We manage W-2 onboarding, multi-state payroll taxes, and ACA-compliant healthcare benefits for your US team.

Explore US EOR

Hire in Denmark

Hire at the home of Worksome. We ensure full compliance with the Danish Holiday Act (Ferieloven), ATP contributions, and local labor market agreements.

Explore US EOR

Hire in the UK

Navigate UK employment law with ease. We handle everything from HMRC tax reporting and National Insurance to workplace pension (auto-enrolment) compliance.

Explore US EOR