01Workzoom technology platform
Workzoom is a cloud-based platform built on a proprietary multi-tier Java architecture, hosted on Amazon Web Services data centers in Canada and the United States. Every client has an isolated database schema and document repository. Data at rest is encrypted with AES-256. Data in transit is encrypted with TLS 1.2 over 2048-bit certificates. The hosting facilities carry SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 9001, PCI DSS Level 1, FedRAMP, HITRUST CSF, NIST, FIPS, PIPEDA, and CSA certifications. Below: every signal, with the SLA, the incident-response procedure, and a downloadable whitepaper.
Why teams trust Workzoom
02Hosting and certifications
Workzoom is hosted on Amazon Web Services data centers in Canada and the United States. All facilities are Tier IV. Clients choose data residency at onboarding. Workzoom uses AWS Global Accelerators and Edge Computing to route traffic to endpoints nearest each client.
All certifications above are held at the data-center level by Amazon Web Services and apply to the infrastructure Workzoom runs on. Workzoom's own application layer is built and operated against these standards. AWS publishes the underlying audit reports under their Customer Compliance Program; Workzoom can share AWS SOC 1, SOC 2, SOC 3, and ISO 27701 reports under NDA on request via security@workzoom.com.
03System architecture
Workzoom is a proprietary platform written in Java on Tomcat web servers running on hardened Linux. Persistent data lives in MySQL. Documents and media live in MongoDB. Every client has their own database schema and their own document repository instance, isolated from every other client.
Application software, web resources, meta-data, and common content are held outside the per-client databases and shared across the platform. Every byte of client-specific data sits inside an isolated instance. Backup, recovery, and access policies all attach at the per-client level.
Workzoom is powered by an intelligent clustering infrastructure that uses auto-scaling and self-healing across multiple AWS Availability Zones. No single data-center incident takes the application down. Refreshable memory and file caches are used to maintain top performance under load.
Clients that require physical isolation can subscribe to the Workzoom Private Data Cloud. Data at rest is encrypted with separate keys stored in a key management server. No other client data resides on the server. The private network is closed to all outside connections except through an authorized Workzoom VPN, and a VPC Peering Connection secures communication between the private cloud and the Workzoom application servers.
Traffic is routed to the AWS endpoint nearest the client via AWS Global Accelerator and Edge Computing. Result: minimal latency for clients in Canada, the United States, the Caribbean, and the United Kingdom, without compromising the underlying data-residency choice.
04Replication, backup, recovery
Real-time replication. Workzoom uses real-time replication for client data across different AWS Availability Zones with a minimum distance of 100 km between the primary and replica, to mitigate environmental and infrastructure-related failures.
Daily encrypted backups, off-site. Encrypted backups are taken daily and stored securely off-site at a minimum distance of 100 km from the primary server locations. More frequent backup options are available based on client requirements. The last 5 backups are also retained on-site.
Recovery posture. In the event of an incident or server failure, clients are switched to the replication environment. In the worst case, data is recovered from the last daily backup. Because Workzoom application servers use intelligent clustering across multiple Availability Zones at all times, no application downtime occurs in the event of a single-data-center incident. In the event of a major incident: maximum data exposure 24 hours; recovery time normally between 5 minutes and 8 hours, depending on the size and volume of restoration required.
05Encryption, authentication, SSO
All client data at rest is encrypted with AES-256. In the Private Data Cloud option, encryption keys are managed in a separate key management server with no shared key material across clients.
All data in motion and in transit is encrypted using 128-bit-plus TLS 1.2 over TCP/IP with a 2048-bit certificate and strong cipher suites. Servers refuse to acknowledge connection requests from browser or operating system combinations that do not support TLS 1.2.
Passwords are encrypted with the PBKDF2WithHmacSHA1 algorithm, which combines salted password hashing with key stretching. Best-in-class protection against dictionary, rainbow-table, and brute-force attacks. Default password policy in place; configurable per client (attempts before lock-out, duration, format and length, reset process).
Workzoom supports federated authentication via SAML 2.0. Native integrations with Microsoft Entra ID (formerly Azure AD), OneLogin, and Okta. Other SAML 2.0 identity providers integrate via the standard protocol. Multi-factor authentication is enforced on all administrator and infrastructure-level access.
06Access management and logging
Workzoom is primarily role-based. Because the platform is built around HR, every user has a pre-defined role and responsibilities built into their job and position definition. The same role definition drives security: a user's role defines exactly what data they can view, add, update, or remove. When an exception is required, security can be applied at the individual user or group level, down to a single field if necessary.
Workzoom controls four dimensions of access independently:
All logins and session activities are logged. For every login, action, or change, the application records the user, the process, the timestamp, the IP address, the original value, and the new value. Logging procedures are compliant with Sarbanes-Oxley requirements.
Access to client data is restricted to individuals who support the client. Every Workzoom employee signs a non-disclosure agreement and a code of ethics and is subject to background and criminal record checks as part of the new-hire process.
All Workzoom servers are isolated on their own VPC. Access to Workzoom servers is available only to a very limited set of authorized personnel, only through a VPN tunnel with TLS 1.2 ciphers and SHA-256 key exchange, with AES-256 encryption of all data inside the tunnel. Web consoles and administrator accounts require multi-factor authentication using rotating access tokens. All VPN connection data is logged, and alerts fire on failed authentication attempts. All client data is securely removed from the cloud and from internal computers at the end of every engagement.
07Security framework
Workzoom servers reside in Virtual Private Clouds with security groups that close every external TCP and UDP port beyond HTTPS. All communication between Workzoom services is limited to within the secure VPC.
Root access on Workzoom servers is disabled. Elevated user privileges are strictly limited. All sudo-level commands are logged and monitored using industry-standard tools.
Privilege separation is enforced via server hardening with SELinux. Process isolation ensures users and applications can only operate in areas and directories absolutely necessary to their function. Data backup tools, for example, are only granted read-only privileges, and only to the relevant databases.
Workzoom runs a comprehensive vulnerability management program: vulnerability scanning, penetration testing, hardware/software/application firewalls, comprehensive monitoring, logging, auditing, event management, and virus, trojan, and malware protection.
Real product, real questions, no slides. Starts at $4 per employee per month, CAD or USD, with $0 setup fees.
08Vulnerability response SLA
Workzoom uses the Common Vulnerability Scoring System (CVSS) version 3.1 to rate potential vulnerabilities. The SLA below applies from the moment Workzoom becomes aware of a vulnerability in the Workzoom platform, or from the moment a third-party vendor confirms a fix for an upstream component.
| CVSS Base Score | Response Time | Resolution Time |
|---|---|---|
| 9.0+ (Critical) | 4 hours or less | 80% resolved within 1 business day |
| 7.0–8.9 (High) | 1 business day or less | 80% resolved within 5 business days |
| 4.0–6.9 (Medium) | 5 business days or less | 80% resolved within 25 business days |
| 0.1–3.9 (Low) | Next regular release cycle | Bundled with the next scheduled release |
09Incident response
Advanced monitoring is in place at the hardware, database, and application level. Hardware is monitored for data integrity, resource consumption, and network failure. Real-time replication and application availability are monitored 24/7, with alerts routed immediately to technical personnel. The procedure below executes on every confirmed security or privacy incident.
10Client penetration tests
Clients may conduct penetration tests and vulnerability assessments against Workzoom, either internally or through a third-party security firm, with Workzoom's prior approval. The policy:
Submit a pen test request to security@workzoom.com with the testing window, scope, and the firm performing the assessment.
11Maintenance and release cycle
Weekly maintenance: a server restart of approximately five minutes. Most maintenance runs in the background with no client-visible impact.
Releases: a new Workzoom release ships approximately every two months. The release is staged in the background and activated after the regular server restart. Quarterly updates run off-hours over a weekend with minimal downtime.
Major releases: upgrades to a new major release are planned events. Workzoom provides clients a window of opportunity that suits their business cycle (avoiding active payroll runs, for example). All clients must be on the current release or the immediately previous release.
Sandbox: clients on a secondary Sandbox environment can preview an upcoming release for their own testing before production cutover.
Patching: OS-level and third-party application vulnerabilities deemed high-risk are tested and applied within timeframes appropriate to the assessed risk. All updates are tested on internal development and sandbox servers before production deployment.
8-page PDF. Full architecture, hosting, certifications, encryption, replication, security framework, access management, vulnerability response, incident procedure, maintenance cycle, and pen-test policy. Cleared for distribution to your IT and security review teams without further NDA.
12FAQ
Workzoom is hosted on AWS infrastructure, which holds SOC 1, SOC 2, and SOC 3 audit attestations. Workzoom inherits these certifications at the infrastructure layer. AWS publishes the underlying SOC reports under its Customer Compliance Program. Workzoom can share the AWS SOC 2 report under NDA on request. The Workzoom application layer is built and operated against the same control families. Email security@workzoom.com with your due-diligence request.
Workzoom client data is hosted on Amazon Web Services Tier IV data centers in Canada or the United States, selectable at onboarding. Clients in Canada can elect Canadian data residency under PIPEDA. Clients in the United States can elect US data residency. Data does not leave the chosen jurisdiction. Backup replicas remain in the same jurisdiction as the primary, at least 100 km from the primary servers.
Every Workzoom client has its own database schema and its own document repository instance. Application software, web resources, meta-data, and common content sit outside the per-client databases and are shared. Client-specific data is isolated end to end. For clients that require physical isolation, Workzoom offers a Private Data Cloud subscription that provides a dedicated database instance with separate encryption keys held in a key management server.
Data at rest is encrypted with AES-256. Data in transit is encrypted with TLS 1.2 over 2048-bit certificates with strong cipher suites. Passwords are encrypted with the PBKDF2WithHmacSHA1 algorithm using salted hashing with key stretching. Workzoom servers refuse to acknowledge connection requests from browsers or operating systems that do not support TLS 1.2.
Yes. Workzoom supports federated authentication via SAML 2.0. Native integrations include Microsoft Entra ID (formerly Azure AD), OneLogin, and Okta. Any other SAML 2.0 identity provider integrates through the standard protocol. Multi-factor authentication is enforced on all administrator and infrastructure-level access.
Yes, with prior approval. The policy requires 14 days advance notice, a detailed outline of testing procedures and schedule, a signed NDA from all parties, and un-redacted results related to Workzoom technologies within 7 days of completion. Submit requests to security@workzoom.com. Workzoom reserves the right to restrict scope, timing, or methodology to protect other clients in the multi-tenant environment.
Workzoom uses CVSS 3.1 to score vulnerabilities and commits to documented response and resolution times. Critical (9.0+): 4 hours or less to respond, 80% resolved within 1 business day. High (7.0–8.9): 1 business day to respond, 80% resolved within 5 business days. Medium (4.0–6.9): 5 business days to respond, 80% resolved within 25 business days. Low (0.1–3.9): bundled with the next scheduled release.
Weekly maintenance is approximately a 5-minute server restart. Most maintenance runs in the background. New releases ship roughly every two months and are activated after the regular weekly restart. Major releases are scheduled events that avoid critical client business cycles (active payroll runs, fiscal close). In the event of a major incident, recovery time is normally 5 minutes to 8 hours and maximum data exposure is 24 hours.
Workzoom can share the AWS SOC 2 report, ISO 27701 certificate (valid through November 2028), and the SOC continued-operations letter under NDA. We respond to security questionnaires from RFPs, healthcare procurement, and Indigenous government buyers in the same day.
Canada
United States
Bahamas
Jamaica
Trinidad & Tobago
Antigua & Barbuda
Barbados
Anguilla