Security Overview

Introduction

Work for Impact’s users trust us with many projects and ideas every month. As a company, we are committed to meeting their data protection and data security needs. This page presents an overview of our practices and policies, which help us keep your personal information safe and secure. We will expand and update this information as we make new security improvements to our platform.

Security Program

We employ a dedicated security specialist to oversee and upgrade our technical, operational, and organizational measures to protect the users, assets, and employees against unauthorized or accidental data access, loss, alteration, disclosure, or destruction. Our security specialist also ensures that we comply with industry-standard privacy and security measures and all applicable data privacy and security laws and regulations.

Access Control

Authentication

We maintain a strict password policy across the organization. Every employee uses a password manager, and we regularly check the passwords for security. We also use multi-factor authentication and single sign-on services wherever possible.

Authorization

We store customer data in multi-tenant storage systems. The users can't directly access the underlying application infrastructure. Access to sensitive data is role-based (on a "need to know" basis), only for specific purposes.

Employee access

A limited number of trained employees have access to the products and customer data via controlled interfaces. Employees are granted access by role, and we log all such access requests.

Environment security

We separate the development, testing, and production environments. For our cloud services, we use Google Cloud. You can read more about Google Platform security here.

Employee Training

All our team and contractors undergo privacy and security training during the onboarding process and sign confidentiality or non-disclosure agreements. Access rights permissions are reviewed periodically and they are revoked when the employee is terminated.

Preventing Unauthorized Infrastructure Access

Physical and environmental security

Our platform is hosted by Heroku, a multi-tenant, outsourced infrastructure provider. Heroku has been audited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate

Third-party processing

Our vendors are rigorously vetted for privacy and security compliance during and after their engagement with us. Each of our service providers has signed a Data Processing Agreement ('DPA'). This ensures their service is provided following all applicable privacy laws and WFI Privacy Policy.

Network security

We undertake the following measures for maximum network security:

  • Virtual Private Cloud (VPC)
  • VPN
  • Security group assignment
  • Firewall rules
  • Web Application Firewall (WAF)

Testing and bug hunting

We regularly undertake penetration testing. Penetration reports are available to the users. We also run a bug bounty program and actively encourage all users to provide feedback on the platform’s performance.

Transmission Control

All data is encrypted while in transfer and at rest. We use encryption protocols (e.g., TLS 1.2+ for transfer), and our UI is available only via a secure HTTPS connection.

Input Control

Detection

We maintain logs of the system behaviour and traffic. Our team considers privacy the top priority, and they always respond swiftly to incident reports.

Tracking and response

We maintain a record of known security incidents and take appropriate steps to minimize product and Customer damage or unauthorized disclosure. In the case of an incident, we will notify our users following the Terms for Service.

Availability Control

Work for Impact aims at 99.9% uptime of the infrastructure. On top of that, we maintain policies and procedures to ensure that we continue to provide business-critical functions in the face of an extraordinary event. These policies include:

  • data center resiliency and disaster recovery procedures for business-critical data and processing functions,
  • backup and replication strategies,
  • regularly tested rollbacks,
  • redundancy and seamless fail-over.

Compliance & Certification

GDPR

We use Cookie Control from Civic to comply with obligations under the GDPR and ePrivacy Directive.

Tracking and response

We use KnowBe4 for phishing tests and employee security education.