WorkflowHero

Compliance

Built with security and compliance standards in mind from day one.

Compliance Standards

WorkflowHero is built on AWS infrastructure that meets rigorous compliance standards. While we don't claim specific certifications, our platform is designed to support your compliance requirements.

AWS Compliance Foundation

By leveraging AWS services, WorkflowHero benefits from industry-leading compliance programs:

  • SOC 2 Type II: AWS data centers are SOC 2 Type II certified for security, availability, and confidentiality
  • ISO 27001: Information security management system standards
  • PCI DSS: Payment processing through Stripe (PCI DSS Level 1 certified)

GDPR Readiness

WorkflowHero implements features to support GDPR compliance:

  • Right to Access: Users can export their data at any time
  • Right to Deletion: Complete data removal upon request
  • Data Minimization: We only collect necessary information
  • Consent Management: Clear terms of service and privacy policy
  • Data Portability: Export data in standard formats
  • Breach Notification: Procedures for timely notification of data breaches

HIPAA Considerations

Important

While WorkflowHero is built with security best practices and runs on HIPAA-eligible AWS infrastructure, we have not completed HIPAA certification. If you handle Protected Health Information (PHI), please contact us to discuss your specific requirements.

Security Features for Compliance

WorkflowHero includes features to help you meet your compliance obligations:

  • Audit Trails: Complete logging of all workflow actions, approvals, and data changes
  • Access Controls: Role-based permissions and organization isolation
  • Encryption: TLS 1.3 in transit and AES-256 at rest
  • Document Classification: Confidentiality levels (Public, Internal, Confidential, Restricted)
  • Digital Signatures: Timestamped approval signatures with IP tracking

Data Residency

Your data is stored in AWS data centers:

  • Primary region: US East (N. Virginia)
  • Backup and disaster recovery in multiple AWS regions
  • Data does not leave AWS infrastructure
  • Enterprise customers can request specific region preferences

Vendor Security

We carefully vet all third-party services:

  • AWS: SOC 2, ISO 27001, and numerous other certifications
  • Stripe: PCI DSS Level 1 certified for payment processing
  • MongoDB: Industry-standard security practices
  • All vendors undergo security assessments before integration

Your Responsibilities

Shared responsibility model for compliance:

Your Organization's Responsibilities:

  • Properly classify sensitive data using confidentiality levels
  • Assign appropriate roles and permissions to team members
  • Train users on security best practices
  • Maintain strong passwords and enable MFA when available
  • Review audit logs regularly
  • Report security concerns promptly

Continuous Improvement

We continuously improve our security and compliance posture:

  • Regular security assessments and penetration testing
  • Monitoring of security advisories and patches
  • Employee security training programs
  • Incident response procedures and drills
  • Continuous monitoring and alerting

Need Compliance Documentation?

Contact us at craftycrackle@craftycrackle.onmicrosoft.com for compliance documentation, security questionnaires, or to discuss your specific regulatory requirements.

Back to DocsSecurity Best Practices