Security at WorkCell
Your shop floor data is the record of your business. We build WorkCell so that data stays encrypted, isolated to your account, and reachable only by the people you authorize.
Data Hosting & Residency
WorkCell runs on managed cloud infrastructure hosted in the United States. Customer data, including your databases and uploaded files, is stored in US-based regions. We rely on providers that operate physically secured data centers with their own audited controls, so the underlying hardware, networking, and facility security are handled by infrastructure partners with established track records.
Encryption in Transit and at Rest
All traffic between your browser and WorkCell is encrypted over TLS. Data at rest, including your primary database and file storage, is encrypted using the disk and storage encryption provided by our infrastructure. Connections between WorkCell services and the database are encrypted as well, so your records are protected both while they move and while they sit at rest.
Access Controls
Inside your account, every user has a role, and roles determine what they can see and do. Sensitive actions are gated behind permissions rather than left open to anyone with a login. On our side, access to production systems is limited to the engineers who need it to operate the platform, and that access is granted on a least-privilege basis rather than handed out by default.
Single Sign-On
WorkCell supports single sign-on so your team can authenticate through your existing identity provider. This lets you centralize account provisioning and deprovisioning, enforce your own password and multi-factor policies, and remove access immediately when someone leaves, all from the identity tooling you already run. If you need SSO configured for your organization, reach out and we will work through it with you.
Tenant Isolation with Row-Level Security
WorkCell is multi-tenant, and we enforce isolation at the database layer using PostgreSQL row-level security. Every tenant-scoped table carries policies that restrict reads and writes to the account a request belongs to, so one customer's queries cannot reach another customer's rows. Because this is enforced in the database itself rather than only in application code, the boundary holds even if a query path is missed higher up the stack.
Working Toward
We want to be direct about what we have today and what we are still building. The items below are commitments on our roadmap. They are not in place yet, and we will not claim otherwise.
SOC 2 Type II
We are working toward a SOC 2 Type II audit. We are not SOC 2 certified today. As we formalize controls and engage an auditor, we will share progress and make the report available to customers under NDA once we have one.
Penetration Testing Cadence
We plan to establish a recurring, independent penetration-testing cadence with a third-party firm. A formal published cadence is not yet in place. Once it is, we will summarize scope and remediation timelines for customers who ask.
Uptime SLA and Status Page
We are building toward a published uptime SLA and a public status page for real-time and historical availability. We do not offer a contractual SLA or a live status page yet. We will announce both when they are ready.
Security Questionnaires
Evaluating WorkCell and need to complete a security review or vendor questionnaire? Get in touch and we will walk through our architecture and answer your team's questions directly.
Contact our team