Legal

Security

The technical and organisational measures Workclave applies to protect customer data — encryption, authentication, access controls, audit logging, and incident response.

Last updated: June 2026Security questions? hello@mecverse.comDPDP CompliancePrivacy Policy
Encryption
In transit & at rest
Sessions
Short-lived & rotated
Audit logs
Append-only · 12 months

1. Encryption in transit

  • All communication between clients (web app, mobile app, API consumers) and Workclave is encrypted in transit using modern, industry-standard protocols. Outdated, insecure protocols are rejected.
  • Strict transport security is enforced across all production domains.
  • Authentication tokens and session credentials are transmitted only over encrypted channels and are never placed in URLs.

2. Encryption at rest

  • Customer data is encrypted at rest across databases, file storage, and backups using strong, industry-standard encryption.
  • Particularly sensitive information, such as bank details, receives an additional layer of application-level encryption so it stays protected even against direct database access.
  • Encryption keys are centrally managed and rotated on a regular schedule, with backups protected by separate keys.

3. Authentication and session management

  • Sessions use short-lived access tokens paired with refresh tokens that rotate on use and are invalidated on logout.
  • Passwords are stored using a strong, salted one-way hashing function. Plaintext passwords are never stored or logged.
  • Magic-link and OTP-based sign-in options are available, using single-use, short-expiry codes.
  • Repeated failed sign-in attempts trigger back-off and temporary lockout to defend against credential stuffing.
  • Session cookies are configured with hardened browser security attributes to reduce cross-site scripting and request-forgery risk.

4. Access controls

  • Workclave enforces role-based access control across workspace operations, so people only see the data their role requires. Sensitive data such as payroll is restricted to authorised roles.
  • Production and infrastructure access is limited to a named set of personnel and requires multi-factor authentication.
  • Access is granted on a least-privilege basis. Staff receive only the access needed for their function.
  • Access rights are reviewed periodically, and individuals who leave or change roles are deprovisioned promptly.

5. Audit logging

  • Authentication events are logged with the metadata needed to investigate suspicious activity.
  • Access to sensitive data and administrative actions is recorded in an append-only audit log capturing who did what and when.
  • Audit logs are retained for 12 months and are available for compliance review on request.
  • Log integrity is protected — entries cannot be altered or removed through ordinary application operations.

6. Infrastructure and network security

  • Workclave runs on reputable cloud infrastructure with network segmentation between application, data, and supporting services.
  • Public-facing services sit behind a web application firewall tuned to block common attack patterns.
  • Rate limiting is applied to public endpoints, with stricter limits on authentication to deter brute-force attacks.
  • Dependencies are continuously scanned for known vulnerabilities and patched on a prioritised basis.

7. Application security

  • Workclave follows secure-coding practices. Common vulnerability classes are checked during code review.
  • User-supplied input is validated server-side before it reaches the database or is rendered in a response.
  • Security headers are applied across the application, and third-party scripts are limited to trusted, allow-listed sources.
  • Requests with unexpected or malformed fields are rejected before reaching business logic.

8. Employee and contractor security

  • Staff and contractors with access to production systems undergo verification before access is granted.
  • Security awareness training is conducted at onboarding and refreshed periodically.
  • Devices used for work must meet baseline security requirements, including disk encryption and screen lock.
  • Staff are prohibited from storing customer data on personal devices or unapproved services.

9. Incident response

  • Workclave maintains a documented incident response plan covering detection, triage, containment, recovery, and post-incident review.
  • Incidents are classified by severity, with critical incidents escalated immediately for round-the-clock response.
  • In the event of a confirmed personal data breach, affected customers are notified without undue delay, and within 72 hours, with the nature, scope, and remediation steps.
  • Post-incident reviews are conducted for major incidents, and findings are documented and acted on.

10. Vulnerability disclosure

  • If you discover a security vulnerability in Workclave, please report it responsibly to hello@mecverse.com with the subject line 'Security Disclosure'.
  • We ask that you not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
  • We acknowledge valid reports within 2 business days, provide a status update within 7 days, and notify you when the issue is resolved.
  • We do not pursue legal action against researchers who act in good faith and follow responsible disclosure principles.

11. Data deletion and portability

  • Individuals can export the personal data we hold about them at any time from Settings → Privacy & Data, and request erasure of their account. The mobile app offers the same.
  • On subscription cancellation or account closure, customer data is retained for a short grace period to allow final export, then permanently deleted from production systems and backups.
  • Consent is captured at sign-up, and an automated process continuously removes data that has passed its retention window — including expired records, deleted accounts, and aged audit logs.
  • Deletion requests outside the standard flow can be submitted to help@mecverse.com and are completed within 30 days, confirmed in writing.

12. Third-party security and subprocessors

  • Subprocessors handling customer personal data are evaluated for security posture before onboarding, including their certifications, data protection terms, and breach commitments.
  • Workclave does not sell customer data. Subprocessors receive only the minimum data required to perform their function.
  • A current list of subprocessors is available on request at hello@mecverse.com.

Found a vulnerability? Report it responsibly to hello@mecverse.com — we acknowledge within 2 business days.