Modern Work Management Security

Your high security standards are non-negotiable. That’s why our security infrastructure and protocols are built to keep your information secure and private.

security

Enterprise-grade security

 

We’ve built a cloud-based solution that you can trust with your critical workflows and data.

Encryption

Workfront uses industry best-practices to ensure that the right security procedures and processes are in place to protect your data. At minimum, Workfront offers AES 256-bit encryption at rest—and in transit—protecting your data whether it's being stored or utilized.

Service level agreements

Our Enterprise-grade service level agreement ensures you’ll get the assistance you need when you need it the most. Our SLA guarantees 99.9% uptime with exceptionally fast response times as well as around-the-clock help desk availability.

Testing

No matter the environment, you have the ability to do testing your way. You’ll also be able to preview and test our latest codes while configuring the refresh rate that works best for you.

Data Storage and Isolation

Workfront doesn’t store your data on unencrypted portable media like laptop computers, external hard drives, USB drives, or other portable devices. Your data will always be properly segregated from all third-party data.

Access Management

Access to production systems and data is restricted to appropriate personnel. Personnel access is established based on roles, the principle of least privilege, and multifactor authentication. All accesses are monitored and logged.

Application Penetration Testing

Third-party providers are selected bi-annually to perform independent penetration tests and vulnerability assessments of Workfront. These tests are performed on an environment that mirrors production (without your data). The scope of this test focuses on external penetration as well as vulnerabilities within the application exploited by an authenticated user. At a minimum, these engagements will include testing for industry standard vulnerability safeguards including OWASP Top 10.

Data Location and Redundancy

Your application data is stored on Amazon Web Services (AWS). Commitments to encryption, data security, confidentiality and availability are maintained at standards that meet or exceed those established with Workfront.

AWS environments are configured with multiple Availability Zones (AZs) within each given region. These AZs distribute documents between various physical locations within an AWS region. AZs are designated by environmental tolerance. While they exist in the same AWS region, they do not share power grids, flood plains, fault lines, etc. with the other physical locations within the same region.

Partner Plug-ins and Connectors

The Workfront partner network offers various solutions for delivering strategic integrations with independent vendor applications. Safeguards for the tools built and implemented by Workfront partners are established and maintained by the partner. Workfront does not include these plug-ins and connectors during control performance or application penetration testing. Any additional information related to the security of these partner plug-ins and connectors should be addressed to the partner.

SSO (SAML)

We encourage you to use your current technology. Workfront provides a centrally managed Single Sign-On (SSO) configuration that integrates Workfront with your existing SSO solution. Using this functionality, Workfront easily plugs into the most popular SSO solutions, including LDAP, Active Directory, and other Federated solutions that support SAML 1.1/2.0.

 

Last Updated April 16, 2018

Compliance

 

Workfront works to provide any and all appropriate validation of security, availability, confidentiality and data integrity safeguards. A mixed approach of internal testing and third-party independent attestation reports are used to provide this assurance. Customers are encouraged to review our compliance offerings and the safeguards to which they attest.

SOC 1

Workfront publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies.

The SOC 1 report audit attests that Workfront control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively.

To request a copy of Workfront’s SOC 1, please contact your sales representative.

SOC 2

Workfront publishes a Service Organization Controls 2 (SOC 2), Type II report. As with other reports (SOC 1), the SOC 2 consists of an evaluation of controls, but the SOC 2 results in an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles propose definitions for control criteria both general and specific to security, availability, processing integrity, confidentiality and privacy.

The Workfront SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security, availability, processing integrity and confidentiality principles set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into Workfront’s safeguards based on a defined industry standard and further demonstrates Workfront’s ability to protect customer data.

Web Application Penetration Test and Vulnerability Assessment

Third-Party providers are selected biannually to perform independent penetration tests and vulnerability assessments of the Workfront application. These tests are performed on an environment that is built to mirror production (without customer data). The scope of this test focuses on external penetration as well as vulnerabilities within the application exploited by an authenticated user. At a minimum, these engagements will include testing for industry standard vulnerability safeguards including OWASP Top 10.

 

Last Updated March 31, 2016

Our Plans

Team

Team

Basic project and work management to get your team started.

Pro Plan

Pro

Complete work management for your entire department. Includes premium digital content review and approval.

business plan

Business

Work management for multiple departments. Includes premium digital content review and approval.

enterprise plan

Enterprise

Unlimited enterprise solution with advanced security. lncludes premium digital content review and approval.