Compliance

Meeting the highest standards of data protection and regulatory compliance

Our Compliance Commitment

Workblox is building a compliance-first platform designed to meet the highest standards of global data protection regulations and industry frameworks. As we prepare for launch, we're implementing comprehensive compliance measures to ensure your data is handled with care and in accordance with applicable laws.

Our compliance program is being built on three pillars: transparency, accountability, and continuous improvement.

SOC 2 Type II Compliance (In Progress)

Workblox is actively pursuing SOC 2 Type II certification, demonstrating our commitment to the highest standards of security, availability, and confidentiality.

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing procedure that ensures service providers securely manage data to protect the interests of their clients and the privacy of their clients' customers.

Our SOC 2 Coverage (Planned)

  • Security: Protection against unauthorized access
  • Availability: Services are available as committed
  • Confidentiality: Sensitive information is protected
  • Processing Integrity: System processing is complete and accurate
  • Privacy: Personal information is properly handled

Continuous Compliance (Planned)

  • Annual SOC 2 Type II audits by independent third parties
  • Quarterly internal compliance reviews
  • Continuous monitoring and improvement of controls
  • SOC 2 reports available to Enterprise customers under NDA

GDPR Compliance (Designed to Support)

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. Workblox is designed to support GDPR requirements for all users, regardless of location.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to certain types of processing
  • Rights Related to Automated Decision Making: Opt out of automated decisions

Our GDPR Measures (Planned)

  • Data Protection Officer (DPO) to be appointed
  • Data Processing Agreements (DPA) with all processors
  • Privacy by Design and by Default principles
  • Data Protection Impact Assessments (DPIA) for high-risk processing
  • Standard Contractual Clauses (SCC) for international transfers
  • Breach notification procedures (within 72 hours)
  • Staff training on GDPR compliance

CCPA/CPRA Compliance (Designed to Support)

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), provide California residents with specific rights regarding their personal information.

Your California Rights

  • Right to Know: What personal information is collected and how it's used
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices
  • Right to Correct: Correct inaccurate personal information
  • Right to Limit: Limit use of sensitive personal information

Our CCPA/CPRA Compliance (Planned)

  • We do not sell personal information
  • Clear privacy notice and disclosures
  • Simple process to exercise your rights
  • Verification procedures to protect your information
  • Response to requests within 45 days
  • Privacy metrics disclosure

HIPAA Compliance (Planned for Enterprise)

For Enterprise customers in healthcare, Workblox plans to offer HIPAA-compliant configurations to protect Protected Health Information (PHI).

HIPAA-Compliant Features (Planned)

  • Business Associate Agreement (BAA) to be available
  • End-to-end encryption for PHI
  • Comprehensive audit logs
  • Access controls and authentication
  • Automatic session timeouts
  • Secure data backup and recovery
  • Employee HIPAA training and certification

Note: HIPAA compliance features will be available only on Enterprise plans. Contact sales@workblox.ai for more information.

ISO 27001 (In Progress)

Workblox is pursuing ISO 27001 certification, the international standard for information security management systems (ISMS).

ISO 27001 Preparation

  • Establishing Information Security Management System
  • Comprehensive risk assessment and treatment
  • Documented security policies and procedures
  • Internal audit processes
  • Continuous improvement processes
  • Certification timeline to be determined

Data Localization & Sovereignty (Planned)

We're designing Workblox to respect data sovereignty requirements and plan to offer data residency options to comply with local regulations.

Planned Data Regions

  • United States (US East, US West)
  • European Union (to be determined)
  • Additional regions based on customer demand

Data Transfer Safeguards (Planned)

  • Standard Contractual Clauses (SCC) for EU transfers
  • UK International Data Transfer Agreement (IDTA)
  • Data residency options for sensitive workloads
  • Transparent disclosure of data transfer practices

Industry-Specific Compliance (Planned)

Education

  • FERPA compliance for educational institutions
  • COPPA compliance (no collection from children under 13)
  • Student data privacy commitments
  • Education-specific access controls

Additional Industries

We're evaluating additional industry-specific compliance frameworks based on customer needs. Contact us to discuss your specific requirements.

Subprocessors & Third Parties

A current list of subprocessors will be published and maintained prior to beta.

We carefully vet all subprocessors for security and compliance, and will maintain Data Processing Agreements (DPAs) with any third-party service providers who have access to customer data.

Data Retention & Deletion (Planned)

We're establishing clear data retention policies that balance operational needs with privacy requirements.

Planned Retention Periods

  • Active Account Data: Retained while account is active
  • Deleted Account Data: Purged within 90 days of account deletion
  • Backup Data: Retained for 30 days, then permanently deleted
  • Audit Logs: Retained for 1 year (7 years for Enterprise)
  • Billing Records: Retained for 7 years (legal requirement)
  • Marketing Data: Retained until consent is withdrawn

Secure Data Deletion

  • Cryptographic erasure (destroying encryption keys)
  • Multi-pass overwriting for physical media
  • Certified destruction for decommissioned hardware
  • Deletion certificates available upon request (Enterprise)

Security Incident Response (Planned)

We're developing comprehensive incident response procedures to handle security and data breach incidents.

Incident Response Process

  • Detection & Analysis: 24/7 monitoring and threat detection
  • Containment: Immediate action to limit impact
  • Eradication: Remove the threat from systems
  • Recovery: Restore systems and services
  • Post-Incident: Analysis and improvement
  • Notification: Customer notification within 72 hours if required

Breach Notification

In the event of a data breach affecting personal data:

  • Affected customers notified within 72 hours
  • Regulatory authorities notified as required
  • Transparent communication about impact and remediation
  • Dedicated support for affected customers
  • Post-breach analysis and security improvements

Compliance Documentation (To Be Available)

We will maintain comprehensive compliance documentation and make it available to our customers.

Planned Documentation

  • SOC 2 Type II Report (under NDA) - upon completion
  • Data Processing Agreement (DPA)
  • Business Associate Agreement (BAA) - Enterprise only
  • Standard Contractual Clauses (SCC)
  • Security White Paper
  • Subprocessor List
  • Privacy Policy
  • Cookie Policy

Enterprise customers will be able to request compliance documentation through their account manager or by emailing compliance@workblox.ai.

Compliance Training & Culture

Compliance is everyone's responsibility at Workblox. We're building a compliance-first culture from day one.

  • Mandatory compliance training for all employees
  • Role-specific training (security, privacy, data handling)
  • Regular compliance updates and communications
  • Compliance considerations in product development
  • Incident simulation and tabletop exercises
  • Compliance metrics tracking

Audits & Assessments (Planned)

We plan to conduct regular audits and assessments to ensure ongoing compliance:

  • Annual SOC 2 Type II audits
  • Quarterly internal security audits
  • Annual penetration testing by third parties
  • Continuous vulnerability scanning
  • Vendor security assessments
  • Compliance gap analysis
  • Customer security questionnaire support

Customer Responsibilities

Compliance is a shared responsibility. As a Workblox customer, you will be responsible for:

  • Configuring appropriate access controls for your workspace
  • Training your team on security and compliance best practices
  • Ensuring your use complies with applicable regulations
  • Properly classifying and handling sensitive data
  • Reporting security incidents promptly
  • Maintaining your own compliance records and policies
  • Reviewing our compliance documentation

Future Compliance Roadmap

We're committed to expanding our compliance coverage as we grow:

  • SOC 2 Type II certification (in progress)
  • ISO 27001 certification (planned)
  • ISO 27018 (Cloud Privacy) (planned)
  • Additional regional certifications based on customer needs
  • Industry-specific certifications as required

Contact Our Compliance Team

For compliance-related questions or to discuss your specific compliance needs:

Email: compliance@workblox.ai
Privacy Questions: privacy@workblox.ai

We're here to answer questions about our compliance roadmap and how Workblox can support your organization's compliance requirements.