<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=395330474421690&amp;ev=PageView&amp;noscript=1">
Built for the hourly workforce

Put the scary stuff into auto-pilot

HR teams safeguard some of the most precious data. Keep yours secure and compliant with built-in controls and security practices.

secure-icon1

Single sign-on

Verify the identity of your employees every time they sign in to Workstream.

secure-icon2

Role-based access controls

Restrict access to sensitive information to only the users who need it.

secure-icon3

File security

Trust your data is encrypted and protected from security vulnerabilities.

secure-icon4

Location-specific employee forms

Automatically send forms to employees based on local, state, and federal requirements.

secure-icon5

Background checks

Automatically request consent to background checks and surface only legally reportable results to your hiring team.

secure-icon6

Deadline criteria

File paperwork and verify worker status on time for tax and government processes such as WOTC, I-9s, and E-verify.

secure-icon7

Audit trails

Reduce the likelihood of unauthorized changes.

secure-icon8

Email & SMS compliant

Workers can opt in and out of messages any time, and we manage that process for you.

image (6)

Workstream is SOC-2 Type 2 Compliant

  • Data is encrypted at rest and in-transit
  • Regularly scanning for vulnerabilities to spot and fix them

Be smart with your hourly workforce

Book a demo
FAQs

Got questions? We've got answers.

Still have questions?

Contact Support

What security certifications does Workstream hold?

Workstream is SOC 2 Type II certified and undergoes annual independent security audits. The platform also supports HIPAA Business Associate Agreements for healthcare customers and maintains PCI compliance for payment data handling. Customer data is encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.2+.

How is customer data protected?

Customer data in Workstream is protected through tenant-level data isolation, encryption, role-based permissions, and audit logging. Data is encrypted both at rest and in transit, while access to production systems is restricted to authorized engineers with logged and regularly reviewed access activity. Every read, write, and administrative action is also captured in audit logs.

Does Workstream support SSO and SAML?

Workstream supports SSO through SAML 2.0, OIDC, and SCIM provisioning. The platform integrates with identity providers including Okta, Microsoft, Google, and OneLogin. SSO functionality is available on enterprise plans, while smaller customers can use standard email authentication.

Where is customer data stored?

Customer data in Workstream is hosted on Amazon Web Services infrastructure in the United States, primarily in the us-west-2 region. The platform uses multi-availability-zone redundancy and automated backups for reliability and disaster recovery. Enterprise customers with specific regulatory requirements can also request alternative data residency options during procurement.

Who owns the data put into Workstream?

Customers own the data they upload and generate inside Workstream. Workstream acts as a data processor and does not sell customer data, share it without consent, or train shared AI models on customer data without explicit opt-in approval. Customers can also export their full data set during the contract or at termination.

What happens to data if you leave Workstream?

When customers leave Workstream, they can export employee records, payroll history, documents, hiring data, and schedule history in standard formats. Workstream retains records for the legally required retention period, such as payroll records required under IRS regulations, before securely deleting the data afterward. Data export at contract termination is included as part of standard customer agreements.

Personal Information and Sensitive Personal Information

Before we discuss the right to limit and the right to opt-out, we must first define personal information and how it relates to sensitive personal information.

Personal information is any data that identifies, relates to, or could reasonably be linked to you or your household. A few examples of personal information include:

  • Name or nickname
  • Email address
  • Purchase history
  • Browsing history
  • Location data
  • Employment data
  • IP address
  • Profiles businesses create about you, including pseudonymous profiles (“user1234”)
  • Sensitive personal information

Sensitive personal information or “SPI” is a subset of personal information, defined as:

  • Identifying information (e.g. social security number, driver’s license)
  • Financial data (e.g. debit or credit card numbers)
  • Precise geolocation (within a radius of 1,850 feet)
  • Demographic or protected-class information (e.g. race/ethnicity, religion, union membership)
  • Biometric and genetic data (e.g. fingerprints, palm scans, facial recognition)
  • Communications and content (e.g. mail, email, text messages)
  • Health and sexual orientation (e.g. vaccine records, health history)

Right to Opt-Out

Californians have the right to opt-out of the sale and sharing of their personal information. That means you have the right to opt-out of the sale of your personal information to third parties (e.g. data brokers, advertisers). You also have the right to opt-out of the sharing of your personal information to prevent the targeting of ads across different businesses, websites, apps, or services.

CCPA-covered businesses must provide a link to allow you to exercise this right. It is usually found at the bottom of a webpage and will say “do not sell or share my personal information” or “your privacy choices.” Sometimes businesses offer privacy choices through a pop-up window or form

To opt-out of the sale and sharing of your personal information, click on the link or use the toggle provided by the business and follow the directions. Doing this on every website you visit can feel burdensome, but to ease the burden you can automatically select your privacy preferences for every website by using an opt-out preference signal, or OOPS for short.

An OOPS is a user-friendly and straightforward way for consumers to automatically exercise their right to opt-out of the sale and sharing of their personal information with the businesses they interact with online. An OOPS, such as the Global Privacy Control. It can either be a setting on your internet browser or a browser extension. With an OOPS, consumers do not have to submit individual requests to opt-out of sale or sharing with each business.

Right to Limit

Californians also have the right to direct businesses to limit the use and disclosure of their sensitive personal information.

Businesses covered under the CCPA must provide a link on their website that allows you to request the limiting of your SPI, if they plan on using it in certain ways. That link will also typically be at the bottom of a webpage and will say: “limit the use of my sensitive personal information” or “your privacy choices.” Once you send this request, the business must stop using your SPI for anything other than to:

  • Provide requested goods or services
  • Ensure security and integrity
  • Prevent fraud
  • Maintain system functionality
  • Comply with legal obligations

Bringing it Together

In summary, the CCPA gives you the right to opt-out of the sale and sharing of your personal information and gives you additional rights to further limit the use and disclosure of your sensitive personal information.

When you exercise these rights together, you exert greater control in protecting your personal data which is important for your identity, safety, and financial health.

If you are on a business’s website and you can’t find the links to exercise your rights, remember to check their privacy policy. The privacy policy should tell you how you can exercise your rights under the law.

If you find your rights being violated, you can submit a complaint to CalPrivacy.

Next in the LOCKED series, we will explore the right to correct and right to know. Follow us on social media to get live updates or check back in one week for the next post.

Essential

Required to enable basic website functionality. You may not disable essential cookies.

Targeted Advertising

Used to deliver advertising that is more relevant to you and your interests. May also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission.

Personalization

Allow the website to remember choices you make (such as your username, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your general location.

Analytics

Help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Right to Limit Use of Sensitive Personal Information

You also have the right to limit how we use sensitive personal information (such as precise geolocation, financial data, etc.).

Your preference has been saved. We will not sell or share your personal information.