The Workable security and performance promise ensures that you have stable access to the tools you need and stay data compliant.
Workable takes information security seriously. We do this to protect your organization and the information of every candidate applying to work with you.
Our platform is robust and secure. We protect your data through industry standards and our own best practices. And we aim to be as clear and open as we can about the security measures we take.
Workable is a
partner. Companies collecting and processing EU data can
manage and maintain GDPR compliance
our tools and features.
ISO 27001:2013 certified.
This means our recruiting software and operating environment meet with worldwide security and data protection standards.
The environment that hosts Workable services maintains multiple certifications for its data centers, including: ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, Sarbanes-Oxley (SOX). More information can be found on
security and compliance websites.
Workable data is encrypted in transit. This is achieved through security best practices (i.e.  HSTS) and the latest recommended secure cipher suites and protocols.
Certain types of customer data are also encrypted at rest. Passwords are stored using
to ensure their confidentiality. We use hashing algorithms with salt.
Having established a high benchmark for security, we’re committed to maintaining it. Workable implements best practices as they evolve and responds promptly to new cryptographic weaknesses as they’re discovered.
Resilience and availability
Hiring isn’t a 9-5 job. Recruiting software should be available whenever and wherever you need it. We guarantee
excluding scheduled maintenance.
Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock, on-call team to resolve unexpected incidents quickly.
Workable’s infrastructure runs on fault tolerant systems. Whether there’s an issue with an individual server or an entire data center we will continue to be operational and available.
Maintenance operations requiring a short downtime are scheduled during off-peak hours and announced at least one business day in advance. Incidents and scheduled downtime are recorded on our
Disaster recovery, incident management and response
To ensure continued availability, Workable application data is stored redundantly in multiple locations in our hosting provider’s data centers. Our main databases are backed up weekly to a different hosting provider, each with different login credentials.
We have a defined
Business Continuity Plan (BCP)
and implemented backup and restoration procedures which enable recovery from a major disaster.
Workable has effective incident management policies and procedures in place to handle any interruption of service. Should a situation arise, we will notify you and any applicable regulator of a suspected data security breach according to our
Application and network security
In addition to the security components provided by our top level cloud providers, Workable has its own dedicated controls through key industry security vendors.
These controls cover every aspect of security from the bottom to the top of the TCP/IP stack. They include
and a dedicated
Web Application Firewall,
as well as network firewalls configured according to the highest industry standards.
Our web application firewall fine-grained configuration acts as a strong barrier to protect the Workable application and microservices. It enforces security controls such as hardened TLS configuration (strong encryption and hashing algorithms), strong authentication mechanism (preventing password guessing attacks), overall protection against malicious activity (IP reputation, browser integrity checks, WAF rules, etc.) and specific rate limiting rules.
For users on Pro accounts and above, Workable provides the option of
single sign-on (SSO)
for an additional level of security. This integrates with SSO services that support Security Assertion Markup Language (SAML) such as OneLogin, Okta, Microsoft Azure Active Directory, Google Apps, Centrify, Auth0 and PingFederate.
Logging and monitoring
Workable maintains an extensive, centralized logging environment in its production environment. This contains information pertaining to security, monitoring, availability, access, and other metrics about the Workable application and its microservices.
These logs are analyzed for security events via automated dedicated alerts and monitors that are overseen by our security team. Particular emphasis is put on logins to sensitive accounts and services.
Workable employees receive privacy and security training as part of their onboarding. They are required to read and sign our comprehensive ‘Acceptable Use’ policy, covering our Information Security Management System.
Workable also performs regular internal
Information Security Awareness training
campaigns for all employees. This includes gamified training modules, questionnaires and targeted phishing campaigns.
Security assessments & 3rd party audits
Workable believes in security audits. An external audit is performed on a yearly basis by a qualified 3rd party assessor. This covers organizational compliance and information security risk.
We also work with Bugcrowd and HackerOne, through
private bug bounty programs,
to ensure continuous independent penetration testing activities towards our application and microservices.
Additional automated security assessments such as web application scans, system/network vulnerability assessments and static code reviews are performed on a regular basis. The outcomes are evaluated and an action plan dispatched across all affected teams to mitigate potential vulnerabilities.