Hosting and Location of Data
‍Our service and data is hosted by Amazon Web Services (AWS) in the USA.

AWS is compliant against the following certifications ISO27001, ISO27017, ISO27018 and SOC 1, 2 and 3. These certifications are performed by independent third-party auditors and can be viewed here: https://aws.amazon.com/compliance/programs/‍

‍Logical and Environment Segregation
‍Our product is a multi-tenanted architecture with logical segregation enforced. Our service is designed to prevent access to client data associated with other accounts which means that access to data is provided only to authorised clients associated with the consumer's account. Our production and non-production environments are segregated and no customer data is used in non-production or local development environments.

‍Encryption in Transit
‍All data-in-transit uses HTTPS exclusively and is encrypted using TLSv1.2.

‍Encryption at Rest
‍All data including customer uploads and backups, is encrypted at rest using AES-256. All encryption keys are managed by AWS Key Management Service.

‍Authentication
‍Access to Optimal Workshop is provided only to those with approved user credentials with password complexity requirements enforced. We also allow customers  to authenticate using Google OAuth2 or SAML 2.0.

‍Software Development Life Cycle (SDLC)
‍We deploy security by design during the development of our service. Application Security practices are deployed throughout the development lifecycle. Our application is reviewed and tested at every stage of the development process by experienced developers to ensure vulnerabilities are identified and resolved as early as possible. All developers must complete ongoing training in best practice secure coding standards that address the OWASP Top 10.

‍Security Awareness Training
‍Optimal Workshop has processes in place to ensure that all staff complete security and privacy awareness training as part of onboarding as well as on an annual basis thereafter. Practical social engineering experiments are also conducted throughout the year to test awareness and vigilance.

‍Assurance and Testing
‍We conduct periodic audits of security configurations to make sure information is secure. We use independent security auditors to run annual penetration tests against our service based on the Open Web Application Security Project (OWASP) methodology.

‍Vulnerability Management
‍Vulnerabilities that are discovered during application assessments must be mitigated based upon the identified risk levels, OWASP Risk Rating Methodology. We run automated static code vulnerability scans to detect newly introduced vulnerabilities in our code before it is merged, as well as part of the deployment pipeline. Full vulnerability scanning of externally exposed applications are done quarterly and then remediate according to what is practical and achievable.

‍Disaster Recovery and Business Continuity
‍As our IaaS provider, AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. AWS provides high availability between their data centres and we have deployed critical components of our service across multiple availability zones and replicate data between zones. In the event of failure, we have automated processes to move customer data and traffic away from the affected area to ensure minimal disruption.

‍Logging and Monitoring
‍We use AWS CloudTrail to log all events within our hosting systems, including access to data and information security events. User activities, exceptions and faults are logged and managed via CloudWatch. We use AWS GuardDuty for threat detection and AWS CloudWatch for alerting. 

‍Data Collection
‍As a SaaS company supplying services on a subscription basis, we do not know or control what data you will collect from your research for processing. You are required to provide basic personal information (including business contact information) for account management and billing purposes. The service also automatically collects IP address information, which is required for functional purposes, and is deleted within 24 hours. See our privacy notice for more information: www.optimalworkshop.com/legal-information-center/#privacy-notice‍

‍Data Deletion Request
‍You can request your individual account be deleted at any time. If you would like to delete your account, complete the following form: https://privacyportal-apac.onetrust.com/webform/384b3150-f5d1-471c-9de5-a9c33914420b/018b8a6d-0210-4c45-81bb-345069fa88c5I

If you would like to request a deletion of on behalf of your organisation, please complete the following form: https://privacyportal-apac.onetrust.com/webform/384b3150-f5d1-471c-9de5-a9c33914420b/aaef91e7-eda9-4527-a656-84b6b2c937b2‍

‍Sub-Processor Updates
‍You can subscribe to our sub-processor updates. If you would like to receive updates,  please email our security team using the email privacy@optimalworkshop.com

‍Reporting a security issue
‍If you discover a security issue, we ask that you report it to our security team using the email security@optimalworkshop.com. The team will be in contact to confirm receipt of your report and discuss the next steps towards addressing the issue. When you get in touch with our security team, please provide as much information as you can to help us investigate and replicate the issue: 

• Any steps we can follow to reproduce the issue Target URLs, request/response pairs, screenshots.
• Any suggestions to help us address the problem.
• The device and browser version you were using when you identified the issue.

‍Are you a Security Researcher?
‍We do not have a "bug bounty programme". Whilst we offer our thanks to those working to improve the security of our service, we ask security researchers to refrain from testing or running automated tools against our service.