Secure and scalable

The Workable security and performance promise ensures that you have stable access to the tools you need and stay data compliant.

Data protection


Workable takes information security seriously. We do this to protect your organization and the information of every candidate applying to work with you.

Our platform is robust and secure. We protect your data through industry standards and our own best practices. And we aim to be as clear and open as we can about the security measures we take.

Workable is a GDPR-compliant partner. Companies collecting and processing EU data can manage and maintain GDPR compliance using our tools and features.



Workable is ISO 27001:2013 certified. This means our recruiting software and operating environment meet with worldwide security and data protection standards.

The environment that hosts Workable services maintains multiple certifications for its data centers, including: ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, Sarbanes-Oxley (SOX). More information can be found on Heroku, AWS and Google security and compliance websites.


Data encryption

Workable data is encrypted in transit. This is achieved through security best practices (i.e.  HSTS) and the latest recommended secure cipher suites and protocols.

Certain types of customer data are also encrypted at rest. Passwords are stored using irreversible encryption to ensure their confidentiality. We use hashing algorithms with salt.

Having established a high benchmark for security, we’re committed to maintaining it. Workable implements best practices as they evolve and responds promptly to new cryptographic weaknesses as they’re discovered.


Resilience and availability

Hiring isn’t a 9-5 job. Recruiting software should be available whenever and wherever you need it. We guarantee 99.8% uptime, excluding scheduled maintenance.

Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock, on-call team to resolve unexpected incidents quickly.

Workable’s infrastructure runs on fault tolerant systems. Whether there’s an issue with an individual server or an entire data center we will continue to be operational and available.

Maintenance operations requiring a short downtime are scheduled during off-peak hours and announced at least one business day in advance. Incidents and scheduled downtime are recorded on our status page.


Disaster recovery, incident management and response

To ensure continued availability, Workable application data is stored redundantly in multiple locations in our hosting provider’s data centers. Our main databases are backed up weekly to a different hosting provider, each with different login credentials.

We have a defined Business Continuity Plan (BCP) and implemented backup and restoration procedures which enable recovery from a major disaster.

Workable has effective incident management policies and procedures in place to handle any interruption of service. Should a situation arise, we will notify you and any applicable regulator of a suspected data security breach according to our privacy policy.


Application and network security

In addition to the security components provided by our top level cloud providers, Workable has its own dedicated controls through key industry security vendors.

These controls cover every aspect of security from the bottom to the top of the TCP/IP stack. They include DDoS protection and a dedicated Web Application Firewall, as well as network firewalls configured according to the highest industry standards.

Our web application firewall fine-grained configuration acts as a strong barrier to protect the Workable application and microservices. It enforces security controls such as hardened TLS configuration (strong encryption and hashing algorithms), strong authentication mechanism (preventing password guessing attacks), overall protection against malicious activity (IP reputation, browser integrity checks, WAF rules, etc.) and specific rate limiting rules.

For users on Pro accounts and above, Workable provides the option of single sign-on (SSO) for an additional level of security. This integrates with SSO services that support Security Assertion Markup Language (SAML) such as OneLogin, Okta, Microsoft Azure Active Directory, Google Apps, Centrify, Auth0 and PingFederate.


Logging and monitoring

Workable maintains an extensive, centralized logging environment in its production environment. This contains information pertaining to security, monitoring, availability, access, and other metrics about the Workable application and its microservices.

These logs are analyzed for security events via automated dedicated alerts and monitors that are overseen by our security team. Particular emphasis is put on logins to sensitive accounts and services.



Workable employees receive privacy and security training as part of their onboarding. They are required to read and sign our comprehensive ‘Acceptable Use’ policy, covering our Information Security Management System.

Workable also performs regular internal Information Security Awareness training campaigns for all employees. This includes gamified training modules, questionnaires and targeted phishing campaigns.


Security assessments & 3rd party audits

Workable believes in security audits. An external audit is performed on a yearly basis by a qualified 3rd party assessor. This covers organizational compliance and information security risk.

We also work with Bugcrowd and HackerOne, through private bug bounty programs, to ensure continuous independent penetration testing activities towards our application and microservices.

Additional automated security assessments such as web application scans, system/network vulnerability assessments and static code reviews are performed on a regular basis. The outcomes are evaluated and an action plan dispatched across all affected teams to mitigate potential vulnerabilities.

Get a demo

See how Workable streamlines
the hiring process.

Get a demo

Start a free trial now

Try Workable free for 15 days,
no credit card required.

Free trial