SOC 2 Type II
Optimal Workshop is SOC 2 Type II compliant.
Optimal Workshop has aligned its processes and service to be compliant with privacy regulations within New Zealand and internationally (e.g. GDPR, CCPA, LGPD). Please see our Data Privacy practices from the following link: https://support.optimalworkshop.com/en/articles/2626921-data-privacy-at-optimal-workshop
Optimal Workshop does not directly collect, process, or store cardholder data. Payment processing is handled by a PCI-DSS compliant service provided by our third-party provider, Windcave.
Encryption at Rest
All customer data including customer uploads and backups, is encrypted at rest using AES-256.
Encryption in Transit
All data-in-transit uses HTTPS exclusively and is protected using TLSv1.2.
Location of Data
Our database is encrypted at rest. For datacentre security we use the AWS datacentre located in the USA. Security in AWS datacentres is very high. For more information see: https://aws.amazon.com/compliance/data-center/controls/
Our product is multi-tenanted with logical segregation enforced. Our software is designed to prevent access to client data associated with other accounts which means that access to data is provided only to authorised clients associated with the consumer's account.
As a SaaS company supplying services on a subscription basis, we do not know or control what data you will collect from your research for processing. Basic personal information (business contact information) is collected for account management and billing purposes: See our privacy notice for more information: https://www.optimalworkshop.com/privacy
Access to Optimal services is provided only to those with approved user credentials. Minimum password requirements are enforced. We do allow users to authenticate through Google OAuth2 and SAML.
Assurance and Vulnerability Management
We conduct periodic audits of security configurations to make sure information is secure. We use independent security auditors to run annual penetration tests against our service. We also conduct periodic vulnerability scans of our systems looking for security weaknesses
As governed and managed by our Operations Security Policy, vulnerabilities that are discovered during application assessments must be mitigated based upon the identified risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. We run automated static code vulnerability scans to detect newly introduced vulnerabilities in our code before it is merged, as well as part of the deployment pipeline. Full vulnerability scanning of externally exposed applications are done quarterly and then remediate according to what is practical and achievable.
Dedicated Security Staff
Optimal Workshop has an in-house Security & Privacy Officer who oversees and manages security and privacy governance within OW, including leading the IT security and data privacy strategy, ensuring it is implemented across the business and managing security and privacy risk within OW. Security and privacy is engaged early within the design and implementation of tools and features within the organisation. We perform ongoing security reviews, through quarterly vulnerability assessments and annual penetration testing. These are conducted to ensure that alignment against security standards and industry baselines, such as OWASP, are adhered to and upheld.
We deploy security by design during the development of our services. Application Security practices are deployed throughout the development lifecycle. Our application is reviewed and tested at every stage of the development process by experienced developers to ensure technical vulnerabilities are identified and resolved as early as possible.
Managed and governed by Optimal Workshop's Operations Security Policy, Optimal has a well understood and practised process currently in place with regards to change control. No changes are released into production without an appropriate peer review and automated testing conducted against changes to code.
Reporting a security issue
If you discover a security issue, we ask that you report it to our security team using the email firstname.lastname@example.org.
The team will be in contact to confirm receipt of your report and discuss the next steps towards addressing the issue.
When you get in touch with our security team, please provide as much information as you can to help us investigate and replicate the issue:
Any steps we can follow to reproduce the issue
Target URLs, request/response pairs, screenshots
Any suggestions to help us address the problem
The device and browser version you were using when you identified the issue
Are you a Security Researcher?
Whilst we offer our thanks to those working to improve the security of our service we ask that you please respect the following:
Don’t use automated tools in your research as they can affect the performance of the service for our customers. We conduct periodic testing of this nature ourselves in a controlled fashion to avoid service disruption
Don’t knowingly compromise any user’s privacy, attempt to alter data or in any other way impact the performance or integrity of our service
Give us reasonable time to respond to your report
Note that we do not have a "bug bounty programme".
For more information, please email email@example.com