Workiva Security

Maximize security and privacy.

Workiva utilizes numerous measures to ensure the utmost in data security and privacy.

Committed to Compliance.

Compliance Certifications and Memberships

SOC 1 Type II	SOC Reports demonstrate and verify that Workiva implements consistent and dependable security measures and controls as a host and processor of our customers' data. To meet specific customer year end requirements Workiva provides SOC 1 reports with varying control periods.
SOC 2 Type II	Workiva SOC 2 Type II also covers HIPAA controls; is unqualified with a reporting period from November through October.
ISO/IEC 27001:2013	Workiva is ISO/IEC 27001:2013 certified. Download Certificate
FedRAMP Moderate	Under the Federal Risk and Authorization Management Program, Workiva has achieved FedRAMP Moderate. Authorization Details

HIPAA	Workiva enables covered companies subject to the Health Insurance Portability and Accountability Act of 1996 in the United States (HIPAA) to use Workiva's cloud productivity platform to mitigate risk, improve productivity, and give users confidence in data-driven decisions.

Cloud Security Alliance	The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Please see our CAIQ

Privacy Policy	Workiva has a published privacy policy with a Truste Certification and Privacy Shield. Learn more about privacy at Workiva. For additional information on Workiva’s privacy policy, please visit: Privacy Policy Truste Privacy Shield GDPR Compliance

Workiva has a published privacy policy with a Truste Certification and Privacy Shield. Learn more about privacy at Workiva.

For additional information on Workiva’s privacy policy, please visit:

Truste

Privacy Shield

GDPR Compliance

Cloud Security

Facilities	Customer data is stored in secure facilities, on secure servers, and within secure applications. Workiva office locations have no data centers or access to data centers. Workiva maintains appropriate security personnel for the facilities. Workiva office locations are restricted access facilities with appropriate door access. Badge access is required to enter and exit the building, with additional access required to secure areas. Visitors are required to sign in, sign a confidentiality agreement, and be escorted in secure access areas. Cameras monitor the office locations. Restricted areas have additional controls including secure document handling, screen protection to mitigate shoulder surfing, and additional badge access. Rooms that store telecommunication and network equipment are kept locked, and alarmed. Workiva has partnered with Google and Amazon for infrastructure and cloud services. Workiva runs on Google App Engine (GAE) commonly referred to as PaaS (Platform as a Service). Workiva utilizes Amazons Web Services (AWS) for IaaS (Infrastructure as a Service).
Data Hosting Location	To ensure compliance for our customers' data; Workiva Platform offers three different data physical storage locations. Data center locations in Asia Pacific, North America and Europe.

Facilities

Customer data is stored in secure facilities, on secure servers, and within secure applications. Workiva office locations have no data centers or access to data centers. Workiva maintains appropriate security personnel for the facilities. Workiva office locations are restricted access facilities with appropriate door access. Badge access is required to enter and exit the building, with additional access required to secure areas. Visitors are required to sign in, sign a confidentiality agreement, and be escorted in secure access areas. Cameras monitor the office locations. Restricted areas have additional controls including secure document handling, screen protection to mitigate shoulder surfing, and additional badge access. Rooms that store telecommunication and network equipment are kept locked, and alarmed.

Workiva has partnered with Google and Amazon for infrastructure and cloud services. Workiva runs on Google App Engine (GAE) commonly referred to as PaaS (Platform as a Service). Workiva utilizes Amazons Web Services (AWS) for IaaS (Infrastructure as a Service).

Data Hosting Location

To ensure compliance for our customers' data; Workiva Platform offers three different data physical storage locations. Data center locations in Asia Pacific, North America and Europe.

Dedicated Security Team	Workiva has a security program and dedicated team with a CISO.
Network Vulnerability Scanning	Workiva utilizes various internal security tools to perform weekly internal network vulnerability scans against all production environments. Additionally, external networks scans are performed using open source tooling as a routine part of our third-party penetration tests.
Third-Party Penetration Tests	In addition to our internal testing, Workiva engages a third-party security firm to perform vulnerability and penetration testing twice a year.
Security Incident Event Management	Workiva utilizes security information and event management (SIEM tool). Workiva’s Information Security Team reviews logs and alerts for performance and security considerations including logs relating to authentication, endpoint, web application, and more.
Intrusion Detection and Prevention	Workiva deploys Next Generation AV to all user endpoints and Windows infrastructure to provide active threat protection against known and emerging threats. Additionally, Cloud Security Posture Management and Cloud Workload Protection tools are deployed across the application infrastructure to provide host based intrusion detection. The Workiva Platform leverages logging capabilities and supporting systems to monitor for potential threats. Within the application, customers can review the logs and set up alerts to be emailed if certain activities occur, such as a failed login attempt or if a document has been downloaded or exported.
DDoS Mitigation	Workiva leverages a Web Application Firewall (WAF) to perform ingress filtering at the network boundary and prevents direct access to internal resources through the use of private, Virtual Private Clouds (VPCs). Additionally, solutions are used to provide Distributed Denial of Service (DDoS) protection for all applications running in the cloud environment.
Security Incident Response	Workiva has an established Incident Response Policy, standard and procedures which outlines actions, notification, and steps for remediation in the event of any type of incident beyond normal business operations. This plan is tested annually for security events.

Encryption in Transit	Workiva uses TLS versions 1.2 and 1.3 with digital certificate identification. In addition Workiva platform utilizes HTTP Strict Transport Security (HSTS) for further protection.
Encryption at Rest	All Workiva Platform data is stored encrypted with Advanced Encryption Standard (AES) 256-bit algorithm.

Uptime	Workiva provides status through our website https://status.workiva.com/. Through our SLA within contracts Workiva commits to a 99.5% uptime.
Redundancy	Workiva relies on multiple data centers and office locations to provide operational redundancy. We ensure reliability by distributing and replicating data across our multiple systems in case of failure at any single point.
Disaster Recovery	The Workiva Platform includes high availability through our redundant infrastructure.

Application Security

Secure Code Training	Workiva has mandatory security education training for anyone with access to Workiva systems. Training is required at the initial time of access and on an annual basis thereafter. Training includes policies, standards, confidentiality and privacy, physical security, system security, acceptable use, social engineering and other items.
Framework Security Controls	Workiva leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance	Workiva's detailed change control process dictated by the Information Security Policy applies to all changes to the environment, including configuration, operating system, and application updates. New versions of Wdesk, or updates designated for release, are moved from the development environment and staged within a mirrored production environment where our Quality Assurance Team performs rigorous system, integration, regression, and acceptance testing. This environment is also where ongoing penetration testing and vulnerability scanning is performed. Security is part of all phases of product development. Code pertaining to session management, access control, APIs that perform cross-platform calls, authentication, input validation, output encoding, secure transmission, audit logging, file uploads, XSS/CSRF protection, or encryption/hashing has security review either by the InfoSec team or developers trained and authorized in security review. Code changes and additions are tracked, reviewed, and approved by security production release. The Information Security Team utilizes OWASP Top 10 among other industry standards for secure coding. Great care is taken during the design and prototyping phases of any feature set to identify architecture and implementation that may require security consideration. New feature sets requiring security consideration are subject to code review and approval prior to production release.
Separate Environments	Development and Testing environments are separated from the Production environment. Additionally, segregation of duties principles are implemented throughout Workiva to enforce checks and balances and minimize risk.

Dynamic Vulnerability Scanning	Workiva has configured a Dynamic Application Security Testing (DAST) tool to perform regularly scheduled dynamic vulnerability scanning. In addition to automated scanning, Workiva performs security testing as a part of the SDLC release process.
Static Code Analysis	Workiva has configured a Static Application Security Testing (SAST) tool to perform regularly scheduled scans to identify potential weaknesses in application code. In addition to automated scanning, Workiva performs secure code reviews as a part of the SDLC release process.
Third-Party Penetration Testing	In addition to our internal security testing, Workiva engages a third-party security firm to perform vulnerability and penetration testing twice a year.
Responsible Disclosure / Bug Bounty Program	Workiva leverages a bug bounty platform, which maintains a curated set of active professional security researchers who provide continuous security coverage of the Workiva Platform. Workiva also maintains a security.txt page to direct interested external parties on responsible disclosure. Report a Vulnerability

Product Security

Authentication Options	User access is governed by a membership into an Organization, and then memberships into Workspaces, where content is stored and managed. Additionally, content can be permissioned to both an individual, or to a workspace group. Through our administration application, customers can self-administer usernames, passwords, and password policies. Authentication features within the platform also include: Single Sign-On through SAML 2.0 User Provisioning via SCIM 2.0 Browser Validation Multifactor Authentication IP Address Restrictions
Configurable Password Policy	The Workiva platform has a minimum standard of sixteen characters with no restrictions on special numbers or special characters. We added a new password meter to show strength of user password. This meter is not enforced on our side. We also now check passwords against publicly known breached passwords. These changes were made to align more closely with OWASP Application Security Verification Standard 4.0.
Multifactor Authentication (MFA)	The Workiva platform multi-factor authentication will take place via email. After setting new password, users will receive an email with a 6-digit code. Users will be required to supply the 6-digit code back to Workiva to complete the login flow. We have plans to re-introduce time-based one-time passwords (TOTP) through apps such as Google Authenticator, Microsoft Authenticator, Duo Authenticator, or Okta Verify.

Authentication Options

User access is governed by a membership into an Organization, and then memberships into Workspaces, where content is stored and managed. Additionally, content can be permissioned to both an individual, or to a workspace group. Through our administration application, customers can self-administer usernames, passwords, and password policies.

Authentication features within the platform also include:

Single Sign-On through SAML 2.0
User Provisioning via SCIM 2.0
Browser Validation
Multifactor Authentication
IP Address Restrictions

Configurable Password Policy

The Workiva platform has a minimum standard of sixteen characters with no restrictions on special numbers or special characters. We added a new password meter to show strength of user password. This meter is not enforced on our side. We also now check passwords against publicly known breached passwords. These changes were made to align more closely with OWASP Application Security Verification Standard 4.0.

Multifactor Authentication (MFA)

The Workiva platform multi-factor authentication will take place via email. After setting new password, users will receive an email with a 6-digit code. Users will be required to supply the 6-digit code back to Workiva to complete the login flow. We have plans to re-introduce time-based one-time passwords (TOTP) through apps such as Google Authenticator, Microsoft Authenticator, Duo Authenticator, or Okta Verify.

Role-Based Access Controls	Within the Workiva platform, role assignments can be utilized to gatekeep access to features and functionality. Every member of a workspace has a role, each with its own level of access to features. Based on the solution set for a workspace, you’ll have access to different roles. Administrative Roles: The Workspace Owner role is only available at the workspace-level. Org Admin roles are available at the organization-level but can perform some functions at the workspace-level. Non-administrative Roles: If your organization is not on the current solution-based licensing model, there are different non-administrative roles such as Editor, Viewer, etc. Feature Specific Roles: In addition to the roles above, there are roles to provide access to specific features in a workspace. These roles would include Content managers, copy managers, task admins, and filing roles.
IP Restrictions	The Workiva platform administrative application contains logic that allows customers to manager users through security settings for authentication and a granular permission system for access to data. Workiva recommends customers use Single Sign On and can integrate with a SCIM through the SAML 2.0 protocol. Workiva also offers customers Configurable Password Settings IP Restrictions Browser Validation Multi Factor Authentication
Email Signing (DKIM/DMARC)	The Workiva Platform signs outbound messages with DKIM, adheres to a hardfail SPF policy, and runs DMARC in reject mode. Data and attachments are never directly sent within Workiva Platform notifications. Workiva sends all notifications from a fixed set of dedicated IP addresses, and we strongly encourage customers to disable any types of message checking or filtering against messages originating from our platform.

Role-Based Access Controls

Within the Workiva platform, role assignments can be utilized to gatekeep access to features and functionality. Every member of a workspace has a role, each with its own level of access to features. Based on the solution set for a workspace, you’ll have access to different roles.

Administrative Roles:

The Workspace Owner role is only available at the workspace-level.
Org Admin roles are available at the organization-level but can perform some functions at the workspace-level.

Non-administrative Roles:

If your organization is not on the current solution-based licensing model, there are different non-administrative roles such as Editor, Viewer, etc.

Feature Specific Roles:

In addition to the roles above, there are roles to provide access to specific features in a workspace. These roles would include Content managers, copy managers, task admins, and filing roles.

IP Restrictions

The Workiva platform administrative application contains logic that allows customers to manager users through security settings for authentication and a granular permission system for access to data.

Workiva recommends customers use Single Sign On and can integrate with a SCIM through the SAML 2.0 protocol.

Workiva also offers customers

Configurable Password Settings
IP Restrictions
Browser Validation
Multi Factor Authentication

Email Signing (DKIM/DMARC)

The Workiva Platform signs outbound messages with DKIM, adheres to a hardfail SPF policy, and runs DMARC in reject mode. Data and attachments are never directly sent within Workiva Platform notifications. Workiva sends all notifications from a fixed set of dedicated IP addresses, and we strongly encourage customers to disable any types of message checking or filtering against messages originating from our platform.

Human Resources Security

Policies	Workiva has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Workiva information assets.
Training	Workiva has mandatory security education training for anyone with access to Workiva systems. Training is required at the initial time of access and on an annual basis thereafter. Training includes policies, standards, confidentiality and privacy, physical security, system security, acceptable use, social engineering and other items.

Background Checks	Workiva conducts background checks to the extent allowed by law for all employees in accordance with local laws and regulations. The background check includes a federal criminal record check, employment, education, and references verification.
Confidentiality Agreements	Workiva has a non-disclosure agreement with employees and third-parties with logical access to systems and/or information with the classification of Public, Private, Sensitive, and or Restricted, as outlined in the Information Classification Standard.

Additional security resources.

Security and Compliance Portal

Learn More

Security Bulletin

Learn more

Status Page

Learn More

Workiva Security

Maximize security and privacy.

Committed to Compliance.

Compliance Certifications and Memberships

Cloud Security

Application Security

Product Security

Human Resources Security

Additional security resources.

Security and Compliance Portal

Security Bulletin

Status Page

Online registration is currently unavailable.

Our forms are currently down.

Our forms are currently down.

Workiva Security

Maximize security and privacy.

Committed to Compliance.

Compliance Certifications and Memberships

Security Compliance

Industry-Based Compliance

Memberships

Privacy Certifications and Data Protections

Cloud Security

Data Center and Physical Security

Network Security

Encryption

Availability and Continuity

Application Security

Secure Development (SDLC)

Vulnerability Management

Product Security

Secure Authentication

Additional Product Security Features

Human Resources Security

Security Awareness

Employee Vetting

Additional security resources.

Security and Compliance Portal

Security Bulletin

Status Page

Online registration is currently unavailable.

Our forms are currently down.

Our forms are currently down.