Security  Center

Compliance

SOC 2 Type II Complaint

Optimal Workshop is SOC 2 Type II compliant. We have implemented technical controls, policies and procedures aligned with the AICPA’s Trust Services Criteria. These have been audited and verified by an independent third party auditor.


Controls

Hosting and Location of Data
Our service and data is hosted by Amazon Web Services (AWS) in the USA.

AWS is compliant against the following certifications ISO27001, ISO27017, ISO27018 and SOC 1, 2 and 3. These certifications are performed by independent third-party auditors and can be viewed here: https://aws.amazon.com/compliance/programs/

Logical and Environment Segregation
Our product is a multi-tenanted architecture with logical segregation enforced. Our service is designed to prevent access to client data associated with other accounts which means that access to data is provided only to authorised clients associated with the consumer's account. Our production and non-production environments are segregated and no customer data is used in non-production or local development environments.

Encryption in Transit
All data-in-transit uses HTTPS exclusively and is encrypted using TLSv1.2.

Encryption at Rest
All data including customer uploads and backups, is encrypted at rest using AES-256. All encryption keys are managed by AWS Key Management Service.

Authentication
Access to Optimal Workshop is provided only to those with approved user credentials with password complexity requirements enforced. We also allow customers  to authenticate using Google OAuth2 or SAML 2.0.

Software Development Life Cycle (SDLC)
We deploy security by design during the development of our service. Application Security practices are deployed throughout the development lifecycle. Our application is reviewed and tested at every stage of the development process by experienced developers to ensure vulnerabilities are identified and resolved as early as possible. All developers must complete ongoing training in best practice secure coding standards that address the OWASP Top 10.

Security Awareness Training
Optimal Workshop has processes in place to ensure that all staff complete security and privacy awareness training as part of onboarding as well as on an annual basis thereafter. Practical social engineering experiments are also conducted throughout the year to test awareness and vigilance.

Assurance and Testing
We conduct periodic audits of security configurations to make sure information is secure. We use independent security auditors to run annual penetration tests against our service based on the Open Web Application Security Project (OWASP) methodology.

Vulnerability Management
Vulnerabilities that are discovered during application assessments must be mitigated based upon the identified risk levels, OWASP Risk Rating Methodology. We run automated static code vulnerability scans to detect newly introduced vulnerabilities in our code before it is merged, as well as part of the deployment pipeline. Full vulnerability scanning of externally exposed applications are done quarterly and then remediate according to what is practical and achievable.

Disaster Recovery and Business Continuity
As our IaaS provider, AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. AWS provides high availability between their data centres and we have deployed critical components of our service across multiple availability zones and replicate data between zones. In the event of failure, we have automated processes to move customer data and traffic away from the affected area to ensure minimal disruption.

Logging and Monitoring
We use AWS CloudTrail to log all events within our hosting systems, including access to data and information security events. User activities, exceptions and faults are logged and managed via CloudWatch. We use AWS GuardDuty for threat detection and AWS CloudWatch for alerting. 

Data Collection
As a SaaS company supplying services on a subscription basis, we do not know or control what data you will collect from your research for processing. You are required to provide basic personal information (including business contact information) for account management and billing purposes. The service also automatically collects IP address information, which is required for functional purposes, and is deleted within 24 hours. See our privacy notice for more information: www.optimalworkshop.com/legal-information-center/#privacy-notice

Data Deletion Request
You can request your individual account be deleted at any time. If you would like to delete your account, complete the following form: https://privacyportal-apac.onetrust.com/webform/384b3150-f5d1-471c-9de5-a9c33914420b/018b8a6d-0210-4c45-81bb-345069fa88c5I

If you would like to request a deletion of on behalf of your organisation, please complete the following form: https://privacyportal-apac.onetrust.com/webform/384b3150-f5d1-471c-9de5-a9c33914420b/aaef91e7-eda9-4527-a656-84b6b2c937b2

Sub-Processor Updates
You can subscribe to our sub-processor updates. If you would like to receive updates,  please email our security team using the email privacy@optimalworkshop.com

Reporting a security issue
If you discover a security issue, we ask that you report it to our security team using the email security@optimalworkshop.com. The team will be in contact to confirm receipt of your report and discuss the next steps towards addressing the issue. When you get in touch with our security team, please provide as much information as you can to help us investigate and replicate the issue: 

  • Any steps we can follow to reproduce the issue Target URLs, request/response pairs, screenshots.
  • Any suggestions to help us address the problem.
  • The device and browser version you were using when you identified the issue.


Are you a Security Researcher?
We do not have a "bug bounty programme". Whilst we offer our thanks to those working to improve the security of our service, we ask security researchers to refrain from testing or running automated tools against our service.

Security Documentation

Compliance
SOC 2 Type II Report
Request Access
Penetration Tests
Annual Penetration Remediation Summary
Request Access
Miscellaneous
Information Security Policies
Request Access
Data Flow Diagram
Request Access

Sub-processors

Similar to how researchers use the Optimal Workshop platform to improve how they deliver services, Optimal Workshop also makes use of other companies’ products and services to deliver the awesome experience you know and love. This page provides important information about the identity, location and role of each sub-processor we use.

In the course of our service delivery, Optimal Workshop may store some of your data with one of these sub-processors. For example, when you sign up for a webinar, you may enter your email address into our video conferencing software, Zoom.

Optimal Workshop has an established vendor management program in place which means that before engaging with these vendors, due diligence is performed to analyze their privacy, security and compliance practices to ensure that it is in line with Optimal and industry best practice standards, as well as with data protection regulations such as the General Data Protection Regulation ("GDPR") or the California Consumer Privacy Act ("CCPA")/California Privacy Rights Act ("CPRA").

Subscribe to get our sub-processor updates.

I agree to the terms set in Optimal Workshop’s Privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Below is the list of the third-party sub-processors that Optimal Workshop uses:

Core Sub-processors
Sub-processor
Sub-processor activity
Data Location
Website
Amazon Web Services (AWS)
Infrastructure hosting
United States
Bugsnag
Product defect management
United States
Datadog
Performance monitoring
United States
Intercom
Customer support ticketing
United States
Skilljar
Learning Management System
United States
Userpilot
Product Analytics
United States
Windcave
Payment processing
New Zealand
Internal tools
Sub-processor
Sub-processor activity
Data Location
Website
Atlassian
Software development and collaboration tools
Australia
DocuSign
Customer and contract management
United States
Gearset
Backups
United States
Gong
Sales Enablement
United States
Google Analytics
Web analytics
United States
Google Workspace
Productivity & collaboration tools
United States
Hevo
Extract, transform and load
United States
Holistics
Business Intelligence
Germany
HubSpot
Customer management and product analytics
United States
LinkedIn
Customer lifecycle management and marketing
United States
Mailchimp
Marketing automation
United States
OneTrust
Data subject requests management
United States & United Kingdom
Salesforce
Customer relationship management
Japan
Slack
Internal collaboration tool
United States
Snowflake
Data warehouse
United States
Xero
Finance management
United States
Zapier
Workflow management
United States
Zoom
Video conferencing
United States
Research Tools
Sub-processor
Sub-processor activity
Data Location
Website
Dovetail
Customer research
Australia
For additional information, please see our Privacy Notice, or email our Data Protection Officer at privacy@optimalworkshop.com.

Updates

Miscellaneous
Security Update: Log4j

Updated: 9 December 2021

On December 9 2021 a bug was identified in Log4j, a Java library for logging error messages in applications. Log4j is used by many servers and could allow a malicious person to take full control of the affected server or allow a denial of service attack that could take down the server.

You can learn more about Log4j and the impacts of the identified vulnerability in this article.

Does Optimal Workshop use Log4j?
No, we can confirm that the Optimal Workshop platform does not use Log4j and therefore we are not affected by the identified issue.

Have any of your sub-processors been impacted by this issue?
No, we are able to confirm that our sub-processors have either already patched their services to protect themselves, or have not been affected by the Log4j vulnerability.