Legal
Security
The technical and organisational measures Workclave applies to protect customer data — encryption, authentication, access controls, audit logging, and incident response.
Encryption
In transit & at rest
Sessions
Short-lived & rotated
Audit logs
Append-only · 12 months
1. Encryption in transit
- All communication between clients (web app, mobile app, API consumers) and Workclave is encrypted in transit using modern, industry-standard protocols. Outdated, insecure protocols are rejected.
- Strict transport security is enforced across all production domains.
- Authentication tokens and session credentials are transmitted only over encrypted channels and are never placed in URLs.
2. Encryption at rest
- Customer data is encrypted at rest across databases, file storage, and backups using strong, industry-standard encryption.
- Particularly sensitive information, such as bank details, receives an additional layer of application-level encryption so it stays protected even against direct database access.
- Encryption keys are centrally managed and rotated on a regular schedule, with backups protected by separate keys.
3. Authentication and session management
- Sessions use short-lived access tokens paired with refresh tokens that rotate on use and are invalidated on logout.
- Passwords are stored using a strong, salted one-way hashing function. Plaintext passwords are never stored or logged.
- Magic-link and OTP-based sign-in options are available, using single-use, short-expiry codes.
- Repeated failed sign-in attempts trigger back-off and temporary lockout to defend against credential stuffing.
- Session cookies are configured with hardened browser security attributes to reduce cross-site scripting and request-forgery risk.
4. Access controls
- Workclave enforces role-based access control across workspace operations, so people only see the data their role requires. Sensitive data such as payroll is restricted to authorised roles.
- Production and infrastructure access is limited to a named set of personnel and requires multi-factor authentication.
- Access is granted on a least-privilege basis. Staff receive only the access needed for their function.
- Access rights are reviewed periodically, and individuals who leave or change roles are deprovisioned promptly.
5. Audit logging
- Authentication events are logged with the metadata needed to investigate suspicious activity.
- Access to sensitive data and administrative actions is recorded in an append-only audit log capturing who did what and when.
- Audit logs are retained for 12 months and are available for compliance review on request.
- Log integrity is protected — entries cannot be altered or removed through ordinary application operations.
6. Infrastructure and network security
- Workclave runs on reputable cloud infrastructure with network segmentation between application, data, and supporting services.
- Public-facing services sit behind a web application firewall tuned to block common attack patterns.
- Rate limiting is applied to public endpoints, with stricter limits on authentication to deter brute-force attacks.
- Dependencies are continuously scanned for known vulnerabilities and patched on a prioritised basis.
7. Application security
- Workclave follows secure-coding practices. Common vulnerability classes are checked during code review.
- User-supplied input is validated server-side before it reaches the database or is rendered in a response.
- Security headers are applied across the application, and third-party scripts are limited to trusted, allow-listed sources.
- Requests with unexpected or malformed fields are rejected before reaching business logic.
8. Employee and contractor security
- Staff and contractors with access to production systems undergo verification before access is granted.
- Security awareness training is conducted at onboarding and refreshed periodically.
- Devices used for work must meet baseline security requirements, including disk encryption and screen lock.
- Staff are prohibited from storing customer data on personal devices or unapproved services.
9. Incident response
- Workclave maintains a documented incident response plan covering detection, triage, containment, recovery, and post-incident review.
- Incidents are classified by severity, with critical incidents escalated immediately for round-the-clock response.
- In the event of a confirmed personal data breach, affected customers are notified without undue delay, and within 72 hours, with the nature, scope, and remediation steps.
- Post-incident reviews are conducted for major incidents, and findings are documented and acted on.
10. Vulnerability disclosure
- If you discover a security vulnerability in Workclave, please report it responsibly to hello@mecverse.com with the subject line 'Security Disclosure'.
- We ask that you not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
- We acknowledge valid reports within 2 business days, provide a status update within 7 days, and notify you when the issue is resolved.
- We do not pursue legal action against researchers who act in good faith and follow responsible disclosure principles.
11. Data deletion and portability
- Individuals can export the personal data we hold about them at any time from Settings → Privacy & Data, and request erasure of their account. The mobile app offers the same.
- On subscription cancellation or account closure, customer data is retained for a short grace period to allow final export, then permanently deleted from production systems and backups.
- Consent is captured at sign-up, and an automated process continuously removes data that has passed its retention window — including expired records, deleted accounts, and aged audit logs.
- Deletion requests outside the standard flow can be submitted to help@mecverse.com and are completed within 30 days, confirmed in writing.
12. Third-party security and subprocessors
- Subprocessors handling customer personal data are evaluated for security posture before onboarding, including their certifications, data protection terms, and breach commitments.
- Workclave does not sell customer data. Subprocessors receive only the minimum data required to perform their function.
- A current list of subprocessors is available on request at hello@mecverse.com.
Found a vulnerability? Report it responsibly to hello@mecverse.com — we acknowledge within 2 business days.