Back to Home

Security

Security at Workload

At Workload, security isn’t a checkbox—it’s a product requirement. Teams trust us to connect their systems and move sensitive data, so we design, build, and operate Workload with defense-in-depth controls at every layer.

Last updated: 2025/09-04

Quick facts

  • Hosting: Workload is hosted on secure cloud infrastructure (AWS).
  • Regions: Choose United States or European Union data hosting.
  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Access: Least-privilege, MFA-protected internal access; role-based permissions in product.
  • Privacy: GDPR/CCPA support; Data Processing Addendum (DPA) available.
  • Availability: Redundant architecture with automated failover and continuous monitoring.
  • Contact: security@workload.co

Data encryption

In transit

  • All traffic to and from Workload is encrypted with TLS 1.2+.
  • HSTS is enabled to enforce HTTPS and reduce downgrade risks.

At rest

  • Customer data, workflow metadata, logs, and file artifacts are encrypted at rest using AES-256.
  • Encryption keys are managed by the cloud provider’s hardened key management service (KMS).

Secrets & credentials

  • OAuth tokens and API keys you connect to Workload are stored encrypted at rest and scoped to the minimum permissions required by the integration.
  • We never share your credentials across workspaces, and you can revoke access at any time.

Data residency: US & EU

Workload offers hosting in both the United States and the European Union.

  • New customers can request a preferred region during onboarding.
  • Data processing and backups stay in-region where technically feasible.
  • Cross-region transfers occur only when required for support or as explicitly configured by you.

If you have regulatory or contractual residency needs, reach out to security@workload.co.

Application & product security

  • Authentication & sessions
    • Strong session management with short-lived tokens and secure cookies.
    • Optional workspace-level controls (e.g., member roles and least-privilege access).
  • Input validation & isolation
    • Strict input validation and sanitization across connectors and webhooks.
    • Workflows execute in isolated, ephemeral environments.
  • Package & dependency hygiene
    • Continuous dependency scanning and patching for known vulnerabilities (CVEs).

Infrastructure & network security

  • Cloud provider hardening
    • Workload runs on AWS with multi-AZ redundancy, private networks, and security groups.
  • Edge protection
    • Managed WAF, DDoS protections, and rate limiting at the edge where appropriate.
  • Backups & recovery
    • Encrypted, automated backups with routine recovery drills.

Monitoring, logging & alerting

  • Centralized logging of application, API, and system events.
  • 24×7 health monitoring with automated alerting on availability, latency, and error budgets.
  • Security alerts feed into on-call rotations for rapid triage.

Privacy & compliance

  • GDPR & CCPA
    • We support subject rights (access, deletion, export) and data minimization.
    • DPA and Standard Contractual Clauses (SCCs) available upon request.
  • Sub-processors
    • We use a small number of vetted infrastructure providers. A current list is available on request.

Need a signed DPA or security questionnaire? Email security@workload.co.

Employee & operational security

  • Least-privilege access: Employee access to systems is role-based and time-bound.
  • MFA required: Administrative access requires multi-factor authentication.
  • Security training: All staff complete recurring security and privacy training.
  • Change management: Code changes are peer-reviewed and pass automated tests before deploy.

Responsible disclosure

We welcome reports from the security community. If you believe you’ve found a vulnerability:

  1. Email security@workload.co with details and steps to reproduce.
  2. Do not publicly disclose the issue until we’ve confirmed and remediated.
  3. We’ll acknowledge receipt within a reasonable timeframe and keep you updated.

Business continuity

  • High availability architecture with regional redundancy.
  • Disaster recovery procedures tested on a regular cadence.
  • Status communications for major incidents affecting availability.

Frequently asked questions

Do you ever store my customers’ passwords?
No. Workload uses OAuth or token-based authentication whenever possible. Secrets are encrypted at rest.

Can you sign our DPA and BAAs?
We provide a standard Data Processing Addendum and can review additional requirements for enterprise plans.

Where is my data stored?
In the US or EU, depending on your selection. Backups are also kept in-region where feasible.

How do I delete my data?
You can remove connected accounts and workflow data from inside the product, or request deletion via security@workload.co.

Talk to our security team

Questions or questionnaires? We’re happy to help.
security@workload.co

Most Searched Apps
Google Sheets Integrations
Notion Integrations
Calendly Integrations
Lever Integrations
Wordpress Integrations
Webflow Integrations
...+More
Popular Apps
QuickBooks Integrations
Xero Integrations
Trello Integrations
DrChrono Integrations
ServiceTitan Integrations
...+More
New Apps
Zendesk
Acuity Scheduling
PandaDoc
Monday.com
ConvertKit
Airtable
...+More
Top Categories
HR & Recruiting
Marketing
Accoutning & Finance
Sales
Project Management
Operations
...+More
Company
Templates
Affiliate Program
About
Blog
Blog Topics
Get Started For Free

Security

Privacy

Terms

Do not sell/share my info