Security at Optimal Workshop

Learn more about our security policies and procedures including how to lodge a security issue.

Optimal Workshop avatar
Written by Optimal Workshop
Updated over a week ago

At Optimal Workshop, we take the security of our products seriously. You can read our Terms of Service and Cookie Policy on our website.

Compliance

SOC 2 Type II

Optimal Workshop is SOC 2 Type II compliant.

GDPR

Optimal Workshop has aligned its processes and service to be compliant with privacy regulations within New Zealand and internationally (e.g. GDPR, CCPA, LGPD). Please see our Data Privacy practices from the following link: https://support.optimalworkshop.com/en/articles/2626921-data-privacy-at-optimal-workshop

PCI-DSS

Optimal Workshop does not directly collect, process, or store cardholder data. Payment processing is handled by a PCI-DSS compliant service provided by our third-party provider, Windcave.

Data Encryption

Encryption at Rest

All customer data including customer uploads and backups, is encrypted at rest using AES-256.

Encryption in Transit

All data-in-transit uses HTTPS exclusively and is protected using TLSv1.2.

Data Management

Location of Data

Our database is encrypted at rest. For datacentre security we use the AWS datacentre located in the USA. Security in AWS datacentres is very high. For more information see: https://aws.amazon.com/compliance/data-center/controls/

Logical segregation

Our product is multi-tenanted with logical segregation enforced. Our software is designed to prevent access to client data associated with other accounts which means that access to data is provided only to authorised clients associated with the consumer's account.

Data Collection

As a SaaS company supplying services on a subscription basis, we do not know or control what data you will collect from your research for processing. Basic personal information (business contact information) is collected for account management and billing purposes: See our privacy notice for more information: https://www.optimalworkshop.com/privacy

Access Controls

Authentication

Access to Optimal services is provided only to those with approved user credentials. Minimum password requirements are enforced. We do allow users to authenticate through Google OAuth2 and SAML.

Assurance and Vulnerability Management

Assurance

We conduct periodic audits of security configurations to make sure information is secure. We use independent security auditors to run annual penetration tests against our service. We also conduct periodic vulnerability scans of our systems looking for security weaknesses

Vulnerability Management

As governed and managed by our Operations Security Policy, vulnerabilities that are discovered during application assessments must be mitigated based upon the identified risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. We run automated static code vulnerability scans to detect newly introduced vulnerabilities in our code before it is merged, as well as part of the deployment pipeline. Full vulnerability scanning of externally exposed applications are done quarterly and then remediate according to what is practical and achievable.

Governance

Dedicated Security Staff

Optimal Workshop has an in-house Security & Privacy Officer who oversees and manages security and privacy governance within OW, including leading the IT security and data privacy strategy, ensuring it is implemented across the business and managing security and privacy risk within OW. Security and privacy is engaged early within the design and implementation of tools and features within the organisation. We perform ongoing security reviews, through quarterly vulnerability assessments and annual penetration testing. These are conducted to ensure that alignment against security standards and industry baselines, such as OWASP, are adhered to and upheld.

Best Practices

We deploy security by design during the development of our services. Application Security practices are deployed throughout the development lifecycle. Our application is reviewed and tested at every stage of the development process by experienced developers to ensure technical vulnerabilities are identified and resolved as early as possible.

Change Management

Managed and governed by Optimal Workshop's Operations Security Policy, Optimal has a well understood and practised process currently in place with regards to change control. No changes are released into production without an appropriate peer review and automated testing conducted against changes to code.

Reporting a security issue

If you discover a security issue, we ask that you report it to our security team using the email support@optimalworkshop.com.

The team will be in contact to confirm receipt of your report and discuss the next steps towards addressing the issue.

When you get in touch with our security team, please provide as much information as you can to help us investigate and replicate the issue:

  • Any steps we can follow to reproduce the issue

  • Target URLs, request/response pairs, screenshots

  • Any suggestions to help us address the problem

  • The device and browser version you were using when you identified the issue

Are you a Security Researcher?

Whilst we offer our thanks to those working to improve the security of our service we ask that you please respect the following:

Don’t use automated tools in your research as they can affect the performance of the service for our customers. We conduct periodic testing of this nature ourselves in a controlled fashion to avoid service disruption

  • Don’t knowingly compromise any user’s privacy, attempt to alter data or in any other way impact the performance or integrity of our service

  • Give us reasonable time to respond to your report

  • Note that we do not have a "bug bounty programme".

For more information, please email security@optimalworkshop.com

Did this answer your question?