Security & Disclosure Policy
Security Policy
Keeping our customer's data safe is our #1 priority. We take vulnerability disclosure seriously and work hard to protect our customer and their data.
SoWork believes that no technology is perfect and working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
If you would like to report a vulnerability or have any security concerns, please contact security@sowork.com
Disclosure Policy
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@sowork.com. We will acknowledge your email within one week.
Include proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it.
Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Thank you for helping keep SoWork and our users safe!
Exclusions
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of SoWork staff or contractors
Any physical attempts against SoWork property or staff
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Security Commitments
We have an Information Security Program in place that is communicated throughout the organization and follows the industry best practices. Our organization undergoes independent third-party assessments to test our security and compliance controls, including annual third-party penetration testing to ensure that the security posture of our services remains uncompromised.
Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well-defined and documented. Our team members are required to review and accept all security policies and undergo security awareness training that covers industry-standard practices and information security topics such as phishing and password management. Additionally, all team members sign and adhere to a confidentiality agreement prior to their first day of work, and we perform background checks on all new team members in accordance with local laws.
All of our services are hosted with Amazon Web Services (AWS) and Google Cloud Platform (GCP), which employ robust security programs with multiple certifications. All of our customer data is located in the United States, and encrypted at rest. Our applications use TLS/SSL encryption in transit, and we perform regular vulnerability scanning and active monitoring for threats. To ensure business continuity and disaster recovery, we use our data hosting provider’s backup services and monitoring systems to alert the team of any failures affecting users. Access to cloud infrastructure and sensitive tools is limited to authorized employees, with the use of Single Sign-On (SSO), 2-factor authentication (2FA), and strong password policies where available. We follow the principle of least privilege for identity and access management, perform quarterly access reviews, and enforce stringent password requirements.
We conduct annual risk assessments to identify potential threats, including fraud, and perform vendor risk management reviews before authorizing new vendors. If you have any questions, comments, or concerns, or if you wish to report a potential security issue, please contact security@sowork.com.
