Workfront Security

Workfront will use commercially reasonable efforts consistent with, and no less rigorous than, best industry practices to ensure that appropriate facility and data security procedures and processes are in place to protect against destruction, corruption, loss or alteration of, unauthorized access to, or interference with, any of the customer’s production and other data, accounts, systems, confidential information or customer data created and generated through the use of the Workfront software.

Data Storage and Isolation. Workfront will not store the customer’s data on unencrypted portable media such as laptop computers, external hard drives, USB drives, or other portable devices. The customer’s data will be properly segregated from all third party data.

Data Access. Access to customer data is restricted to appropriate personnel. The appropriateness is established based on role and the principle of least privilege. Only DBAs, System Engineers and System Administrators may access production application environments containing customer data. Developers, Support personnel and Quality Assurance may require access to non-production environments containing customer data in order to ensure application performance or to troubleshoot a reported customer issue. Support access to troubleshoot data-specific issues is granted explicitly by the customer and provisioned temporarily using automated tools and mechanisms.

In order to provide greater quality service and performance, Development, QA and Support teams that may have access to customer data in a non-production environment reside both inside and outside the US.

Data Transmission. Workfront warrants that all transmissions of the customer’s data in the Workfront software will be properly encrypted in accordance with industry standards.

Vulnerability Scans and Testing. Workfront will perform regularly scheduled vulnerability assessments on the hosted Workfront software and mobile app. Results from these assessments are internally escalated, planned, prioritized and remediated. Workfront will use application and system logging processes, and these logs will be stored, protected and reviewed on a regular basis. Systems will be scanned regularly for vulnerabilities, which will be prioritized and patched according to corporate policy.

Disclosure Requests. If a third party should request that Workfront disclose a customer’s data pursuant to a subpoena, summons, search warrant, court or governmental order, Workfront will provide the customer with immediate notice and, to the extent permissible by law, a reasonable opportunity to oppose release of the data prior to releasing any such data. If any disclosure is finally directed by a lawful order, Workfront will disclose only so much of the data as is necessary to meet the requirements thereof.

Data Location and Redundancy. . Customer application data resides in Workfront’s collocated data center facilities. Collocation facilities are located in the US, are replicated in real time and act as primary data site with a warm failover. At the request of the customer, certain support activities will be carried out by appropriate personnel outside the US (see Data Access). This ability to deliver support services globally provides our customers with around-the-clock availability and performance.

By default, Workfront document storage is provided on Amazon’s Simple Storage Service (S3) platform in US regions. Commitments to encryption, data security, confidentiality and availability are maintained at standards that meet or exceed those established with Workfront.

AWS environments are configured with multiple Availability Zones (AZs) within each given region. These AZs distribute documents between various physical locations within an AWS region. AZs are designated by environmental tolerance. While they exist in the same AWS region, they do not share power grids, flood plains, fault lines, etc. with the other physical locations within the same region. Each Workfront instance is also replicated to a separate region in order to provide additional failover and redundancy. For additional information on AWS regions and AZs, please visit http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html.

Data Categories. Through The use of the Workfront application data may be transferred and stored in order to provide the intended service. The following data categories apply to the types of information transferred and stored by the Workfront platform.

  • Account Data – Workfront requires the collection and use of account information in order to provide authentication and role based application security for the data subject. For the purposes of the application, this includes the username and a hash of the user’s password.
  • Application/Service Data – The subject’s inputs (documents, presentations, images, text, etc.) are stored throughout the course of Workfront Use. This data may be transferred and stored out of country (as determined by the environment on which the customer is provisioned).
  • Usage Data – Workfront will collect logs related to the activities performed by the subject within the application.
  • Cookies – Workfront cookies contain relevant data to support the function of the application. While sensitive/personal data is not included in the cookie, it will contain information regarding the environment and session.

EMEA Data Centers and AWS.  Customers residing on our EMEA data centers receive equivalent data protections through a controlled environment established using the AWS (Amazon Web Services) platform. Amazon offers world class data protection, performance and availability. For additional information please refer to https://aws.amazon.com/compliance.

Workfront performs regular reviews of the security in the Amazon platform. Workfront understands the ‘Shared Responsibility Model’ and designs its security controls with these requirements in mind. Customers are encouraged to contact their sales representatives for details related to the security of this platform.

For additional details, please refer to our EU Data Protection page.

Other Services

Document Storage. Workfront document storage leverages Amazon’s S3 by default. Providing this functionality on S3 allows customers significant storage scalability. No customer registration is required. Documents are stored in Workfront application buckets within Amazon’s S3 platform. Access safeguards are applied to these buckets just as they are for any and all application environments.

Customers remain responsible for the security of the data uploaded to Workfront. The data protection is facilitated in a shared responsibility approach between Workfront and Amazon. Additional details can be found here: https://aws.amazon.com/compliance/shared-responsibility-model. Annually, Workfront obtains control requirements for meeting Amazon’s designed control objectives (User Control Considerations) and ensures that appropriate compensating controls are operating effectively in the environment.

ProofHQ. Additional functionality is available to users of the Workfront platform that leverage systems and services provided by ProofHQ. Security safeguards and standards supporting the ProofHQ platform are sufficient to meet the commitments in place on the Workfront platform. Workfront performs annual reviews to ensure that appropriate data protection measures are in place with all peripheral application providers (including ProofHQ). Details regarding ProofHQ security may be obtained at http://www.proofhq.com/html/information-security-policy.html.

Workfront DAM. Workfront offers the Workfront DAM software through a partner agreement with WebDAM. While Workfront owns all commitments established through Workfront DAM SLAs, it is WebDAM that provides the systems and infrastructure that make up the Workfront DAM platform. WebDAM has taken measures to secure user data as well as maintain the availability, confidentiality, and integrity of the Workfront DAM service. Contact your sales representative for additional details on the safeguards established by WebDAM.

Partner Plug-ins and Connectors. Workfront may recommend various partner solutions for delivering strategic integrations with independent vendor applications. Safeguards for the tools built and implemented by Workfront partner solutions are established and maintained by the partner. Workfront does not include these plug-ins and connectors during control performance or application penetration testing. Any additional information related to the security of these partner plug-ins and connectors should be addressed to the partner.

The above stated security policy is now in effect for all new Workfront customers and will be effective for all existing Workfront customers 30 days after publication.

 

Last Updated March 31, 2016

Terms of Service

By using Workfront software you acknowledge your acceptance of these terms of use. Users are not permitted to misuse Workfront software. This includes attempting to access the software or its features outside of the intended methods. Users are to use Workfront software for purposes directly related to their business processes. If it is discovered that Workfront software has been used in violation of standards in use agreements, Workfront may suspend your right to use of the software.

The user is the owner of and responsible for data input into the Workfront application. These terms do not give a user ownership of all elements of the application. Users must not manipulate, remove, alter or in anyway obscure elements of the service(s) provided by Workfront. This includes pages, branding, application features/functions, etc.

Administrators are responsible for setting and maintaining password policies and access controls in a customer’s environment. If a user is concerned with password security requirements or access rights, the user is to contact their Workfront administrator.

If, during use or interaction with the software, a user becomes aware of a security issue, please submit a ticket using our Community page.

Last Updated March 31, 2016

Website

Workfront is committed to protecting your privacy and ensuring the security of your information. To prevent unauthorized access or disclosure, to maintain the accuracy of all data and to ensure the appropriate restrictions on use of information, we have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect online.

This site contains information about our company, products and services. It will also feature success stories about partners and customers, the latest Workfront news, schedules for upcoming events, and possible employment opportunities. We’ve structured the Workfront Web site so that, in general, you can visit most pages without identifying yourself or revealing personal information. Registration is required for submitting information to and participating in Workfront’s knowledge base, forum, and blog.

In some circumstances, Workfront may request personal information from you, such your name, e-mail address and company name or telephone number. Examples include on access to product demos and featured documents, registration for select services and training courses, participating in a beta program or joining a user group. Your response to these inquiries is strictly voluntary, although it may be necessary to complete the activity with which the information is associated. Workfront may use this information to customize your experience on our Web site. In addition, Workfront may use this information for other business purposes, such as to alerting you to products and services that can assist you in your business or assisting in order processing. Once you choose to provide us personally identifiable information (any information by which you can be identified), you can be assured that it will only be used to support your relationship with Workfront.

If you do provide personal information, we will not disclose (share, sell or divulge) it to external organizations unless we have informed you or are required to do so by law. We will maintain this information, as well as your business activities and transactions, according to Workfront’s normal confidentiality standards.

Workfront also collects domain information as part of its analysis of the use of this site. This data enables us to become more familiar with customer usage of our site. Workfront uses this information to improve its web-based offerings. This information is collected automatically, frequently from third-party providers such as LeadLander, and requires no action on your part.

Workfront’s Web site may contain links to Web pages not created and/or owned by Workfront. We make no guarantees or promises about the information on those web sites and cannot accept responsibility for the actions or inaction of their operators.

 

Last Updated March 31, 2016

Compliance

Workfront works to provide any and all appropriate validation of security, availability, confidentiality and data integrity safeguards. A mixed approach of internal testing and third-party independent attestation reports are used to provide this assurance. Customers are encouraged to review our compliance offerings and the safeguards to which they attest.

SOC 1

Workfront publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies.

The SOC 1 report audit attests that Workfront control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively.

To request a copy of Workfront’s SOC 1, please contact your sales representative.

SOC 2

Workfront publishes a Service Organization Controls 2 (SOC 2), Type II report. As with other reports (SOC 1), the SOC 2 consists of an evaluation of controls, but the SOC 2 results in an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles propose definitions for control criteria both general and specific to security, availability, processing integrity, confidentiality and privacy.

The Workfront SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security, availability, processing integrity and confidentiality principles set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into Workfront’s safeguards based on a defined industry standard and further demonstrates Workfront’s ability to protect customer data.

Web Application Penetration Test and Vulnerability Assessment

Third-Party providers are selected biannually to perform independent penetration tests and vulnerability assessments of the Workfront application. These tests are performed on an environment that is built to mirror production (without customer data). The scope of this test focuses on external penetration as well as vulnerabilities within the application exploited by an authenticated user. At a minimum, these engagements will include testing for industry standard vulnerability safeguards including OWASP Top 10.

 

Last Updated March 31, 2016

EU Data Protection

EU Data Protection Directive (95/46/EC)

The EU Data Protection Directive refers to a European Union directive adopted in 1995 for the protection of individuals related to processing personal data and the free movement of such data. Directive 95/46/EC establishes a number of data protection requirements that apply when personal data is being processed or transferred.

Article 29 Working Party

The Article 29 Working Party, referred to as the “Working Party”, is an advisory group established under the Directive 95/46/EC of European Parliament. This party acts independently of Parliament and advises on the protection of individuals regarding the processing and free movement of their data. The Working Party has responsibility to evaluate, advise and provide opinions on the agreements and directives established for the protection of personal data.

“Model Clauses”

The Model Contract Clauses are a set of provisions established by Workfront to enable personal data to be transferred by a data controller to a data processor outside the European Economic Area in a way that complies with relevant directives (such as Directive 95/46/EC).

Where is your data?

Workfront customers may be running on either our US or EMEA instance.

EMEA customers are run on Amazon Elastic Web-Scale Computing (EC2) environments with data stored in Amazon Simple Storage Service (S3) in EU regions. Workfront understands the requirements that Amazon establishes for their customers in order to ensure a secure environment. These requirements are known as User Control Considerations (UCCs). Workfront performs annual review of the UCCs to ensure compensating controls are in place and operating effectively.

US customers are run on Workfront owned systems that reside in dedicated collocation facilities in the US. Those customers’ documents are stored in the physical collocation facilities mentioned or Amazon S3 based on customer preference.

Safe Harbor

Workfront continues to adhere to Safe Harbor Principles. Despite its status with EU governing bodies, the safeguards established that represented Workfront’s fulfillment of the agreement are designed and operating effectively. Controls reflecting these safeguards are documented, described and tested in our security reports and test results.