We take the security and privacy of our customer’s data very seriously and in this document outline the
measures in place to provide you with peace of mind; knowing that we ensure the security and integrity of
all collected data. We have gone above and beyond to ensure the infrastructure and apps that we bring you
are secure and are rigorously, as well as consistently tested for any vulnerabilities.
WorkStatz meets the criteria contained within the Protection of Personal Information Act (PoPI) which governs the right to privacy including the unlawful collection, retention, dissemination and use of personal information. WorkStatz only tracks active screen time during working hours, including time spent, the application name, file name or website name only. We have no visibility into the actual contents within and therefore do not store that information on WorkStatz servers, meeting the requirements of PoPI to protect the private data of your employees. WorkStatz also does not process any credit card information or banking information of your employees, other than the names of employees provided by your company upon setup.
The data stored in WorkStatz belongs to you and is accessed by your authorised personnel only. We do not view or access any information that may be collected by your account unless authorised by an approved administrator for troubleshooting purposes.
Machines and Users are uniquely identified by the use of 3 distinct aspects that are uniquely hashed. A token is then generated based on the validation of the hashed user validation criteria mentioned above. A secure middleware system is in place that validates each packet that is sent based on the token to deter fraudulent packets sent from unauthorized users.
The data is encrypted using custom designed encryption algorithm and transmitted over a secure channel to our database. We use HTTPS, SSL/TLS channels to ensure data security and Multiple Certificates are used during data transit. The database is secured behind a firewall that only al lows access from our API through an encrypted channel. Our database has a strict replication and backup schedule to ensure data integrity, and the dashboard also makes use of SSL/TLS channels for data retrieval.
The User Agent has been certified by Sectigo (previously known as Comodo) and a thorough company validation has been completed to ensure that our software complies with Microsoft standards. We have also been registered as a Known Publisher through Microsoft. We have a team that researches vulnerabilities daily so that we can update of our software with the latest patches in line with Microsoft’s security updates. Our system is constantly enhanced to keep our client’s information safe and secure.
All servers managed by us are monitored 24/7 for all critical services and hardware health. Our reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.
Our network is multi-homed with multiple uplinks per data centre via at least two Tier 1 upstream providers and peering partners. Should a network failure occur, traffic is automatically rerouted via alternate uplinks, significantly increasing our network resilience. Connectivity is provided through diverse, redundant fibre routes connecting the facility to a 10Gbps fibre ring.
Network-level security consists of three main components:
A DDoS detection and mitigation system is deployed in our data-centres. DDoS attack traffic is diverted to a filter/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically. Small DDoS attacks are scrubbed locally in the data-centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.
Reverse path forwarding protection is enabled for allVLANs in our data centres. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:
Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways: