Security & Compliance

Coworker Security & Compliance Practices

Data Security is of utmost importance to the Coworker team - it's embedded in everything we do.

We're committed to ensuring the confidentiality, integrity, and availability of your data. Here is how we protect information and comply with industry standards and regulations.

1. Ongoing Auditing & Monitoring

Coworker works with Secureframe on auditing and compliance on an ongoing basis.

We recommend checking out the Coworker Trust Center, that outlines our continuous monitoring against SOC 2 Type 2 and GDPR standards across 50+ different controls.

2. Summary of Data Flow

We've included a high-level summary of our Data Ingestion & Security below. This summary should be viewed in concert with the Coworker Trust Center. We also have over 20+ more in-depth Security Policies that are available upon request from support@coworker.ai

Data Flow at Coworker

Approach Overview

Coworker in-house data ingestion pipelines. By not relying on external ELT SaaS products (e.g. Fivetran, Stitch), we are able to have better granularity over what data is imported, how it is processed, how it is stored, and most importantly, who has access to what.

Data Flow

How are credentials used for data connections handled

When a data connection is created, we will often require credentials, secrets, or OAuth. Sensitive data is handled as such no matter how the connection is created.

While the bulk of the configuration for a data connection is stored within a standard relational database (for example, what kind of connection, what frequency for the data sync, which streams to sync, etc.), sensitive fields are marked as such, and are stored separately.

Secrets are never stored in plain text, in any database, file, or log.

The data connection jobs are executed within a Kubernetes cluster, and sensitive data is only stored (as K8s secrets) within this cluster. The secrets are passed to the execution runtime using best security practices with Kubernetes deployments.

Access to the data connection cluster is heavily restricted with scoped IAM policies. Coworker uses Google Cloud Platform (GCP) as a cloud service provider, and here again, the best security practices are applied regarding IAM. These roles are regularly reviewed to make sure that only the relevant engineers have access to the infrastructure.

Data Streams: what gets synchronized

When initializing a data connection, you get to choose which data streams get synchronized. While Coworker may recommend default settings for business reasons (e.g. some pipelines require specific data to be useful for specific business purposes), Coworker clients have full control over what data is selected or unselected to be pulled from your sources.

How is the data stored

When Coworker synchronizes from client data sources, the raw data is stored in an ElasticSearch (ES) document store, deployed on GCP. All connections result in the creation of specific indexes (multiple ones, depending on how many streams were selected). The data for different customers is never commingled in any way, and is always stored in isolated indexes.

This ElasticSearch database is a sensitive internal database. Restrictive policies are applied on who may access it; only employees who require access to perform their job responsibilities have access, based on the principle of least privilege. The same IAM rules apply here, with role-based access control.

Who has access to the data

Very specific roles with restricted IAM policies, only the employees responsible for developing and maintaining the ELT infrastructure have access to the document store and the cluster.

What happens to the data

Clients connect their data to Coworker to leverage Coworker's product suite, including its Automation Engine and AI stack. Client data will not be shared with any external entity for any reason.

The Coworker Automation Engine is deterministic, auditable, and flexible, taking action on activity messages created from your data.

In addition to the core engine, some other custom features ensure that the data can never be shared with unauthorized parties. Role-based access control means only Coworker Clients (or the people authorized by Coworker Clients) have access to Ledger data.

No PII is ever written to the Coworker Ledger. Ledger accounts are pseudonymous, created alongside the main user ID.

Coworker, nor any sub-processor of Coworker trains AI models using customer data.

Data deletion

Coworker will remove synced client data immediately upon request. Coworker will not keep any copy of the synchronized data. Any individual user’s PII data may also be deleted upon request, in accordance with GDPR and similar regulations.

Security Operations

Coworker’s infrastructure is not exposed to the internet except for limited services whose business purpose requires them to be so. Core databases and document stores are kept on a private network, and Coworker maintains active security monitoring software to identify potential threats.

Should any issue involving Coworker Client data be identified, the client will be contacted and notified as soon as possible, and Coworker will use any and all means necessary to remediate the issue.

Employee access to the key parts of the infrastructure (especially databases) is IP-restricted, in combination with VPN access to reach the internal services. The engineer responsible for the infrastructure maintains the list of authorized IPs using Terraform on all Coworker environments.

Coworker requires the use of hardware multi-factor authentication keys wherever possible.

Ongoing Auditing & Monitoring

Coworker is committed to ensuring the confidentiality, integrity, and availability of your data. Here is how we protect information and comply with industry standards and regulations.

Coworker works with Secureframe on auditing and compliance on an ongoing basis. You can view the Coworker Trust Center here, that outline the continuous monitoring against SOC 2 Type 2 and GDPR standards across 50+ different controls.

Additional Information

Coworker maintains over 20 Security Policies available for request from support@coworker.ai