Security

How Worqs (org.nr 559515-4526) protects your data on the Worqs platform.

Last updated: 2026-02-08

Our Commitment

Security is fundamental to Worqs. As a Swedish SaaS platform handling business-critical data for manufacturing plants, healthcare clinics, logistics companies, and professional services firms, we take security very seriously. All data is stored within the EU and we comply with GDPR and Swedish data protection legislation.

Infrastructure Security

Hosting and Network

Our application is hosted on Vercel with serverless functions in the Stockholm region (arn1):

  • Vercel Edge Network — global CDN with automatic optimization and caching
  • Serverless functions run in Stockholm, Sweden (arn1) for low latency within the EU
  • Edge functions for fast rendering and API responses without cold starts
  • Automatic DDoS protection and rate limiting via Vercel's infrastructure
  • TLS 1.3 encryption for all traffic, HSTS enabled, automatic certificates

Database and Storage

Our database is powered by Supabase (Fly.io) with all data stored in Stockholm:

  • Supabase — managed PostgreSQL platform with built-in authentication and file storage
  • PostgreSQL 15 with high availability and automatic failover
  • Row Level Security (RLS) on all tables — every database query is automatically filtered by tenant_id
  • AES-256 encryption at rest for all data and backups
  • Automatic daily backups with point-in-time recovery (PITR)
  • Data stored exclusively in Stockholm, Sweden (eu-north-1) — no replication outside the EU

Application Security

Authentication

  • JWT-based authentication via Supabase Auth with short token expiry times and automatic renewal
  • Bcrypt password hashing — we never store passwords in plaintext
  • Single sign-on (SSO) via Microsoft Azure AD / Entra ID with PKCE flow for OAuth 2.0
  • Secure session management with automatic logout on inactivity and cross-domain SSO support
  • CSRF protection via SameSite cookies and PKCE verification for OAuth flows

Access Control

  • Role-based access control (RBAC) with fine-grained permissions per feature
  • Strict tenant isolation — each organization has completely separated data that can never be crossed
  • Row Level Security (RLS) enforced at the database level via the get_tenant_id() function, independent of application logic
  • Complete audit logging of all security-relevant actions with timestamps and user IDs

Data Protection

  • All data encrypted in transit with TLS 1.3 between client, servers, and all third-party services
  • All data encrypted at rest with AES-256 at disk and backup level
  • Sensitive data (API keys, connection secrets) additionally encrypted with application-level encryption
  • Strict input validation with Zod schemas on all API endpoints to prevent injection attacks

Payment Security

All payment processing is handled via Stripe. We never handle sensitive payment data directly:

  • Stripe — global payment provider with bank-level security
  • Stripe is PCI DSS Level 1 certified, the highest security level in the payment industry
  • Card details are handled exclusively by Stripe — no card data passes through or is stored on our servers

Email Security

Transactional emails are delivered via Resend:

  • Resend — modern email provider with TLS-encrypted delivery
  • Transactional messages only: account notifications, password resets, workflow notifications
  • We never send marketing emails or sell email addresses to third parties

AI Security

Worqs uses Google Gemini for AI-assisted features. Privacy and data security are central:

  • Google Gemini API — enterprise-grade AI with Google's security infrastructure
  • Your data is never used to train Google's AI models (confirmed in Google's Cloud Data Processing Addendum)
  • All communication with Gemini API is over encrypted TLS 1.3 connections
  • AI features are optional — you can use the platform fully without enabling AI assistance

Integrations and Connectors

The Worqs connector framework enables integrations with external systems (e.g. Fortnox). Security is managed through:

  • OAuth 2.0 authentication with encrypted tokens for all external connections
  • Connection secrets and API keys are stored encrypted in the database and never exposed in logs
  • All sync and connection actions are logged in the audit log with detailed error information
  • Connections can be revoked immediately by organization administrators, stopping all data synchronization

Security Practices

Development

  • Code review required for all changes before merging to production code
  • Regular automated auditing of npm dependencies with security warnings
  • Automated testing including API validation and authentication checks
  • Development following OWASP Top 10 — protection against XSS, SQL injection, CSRF, and other common vulnerabilities

Monitoring

  • Real-time monitoring of application, database, and API performance via Vercel Analytics and Supabase Dashboard
  • Structured logging of all API calls, authentication events, and error messages
  • Automatic alerts on anomalous patterns: failed logins, unusual API call patterns, server issues
  • Logs retained for 90 days and then automatically deleted in accordance with the data minimization principle

Regulatory Compliance

Worqs is designed to comply with relevant European and Swedish regulations:

  • GDPR: Full compliance with the EU General Data Protection Regulation (GDPR) with documented processes for all data subject rights
  • LEK: Compliance with the Swedish Electronic Communications Act (LEK) regarding cookies and electronic communications
  • Data Location: All primary data (database, files, authentication) is stored in Stockholm, Sweden (eu-north-1). No customer data is replicated outside the EU/EEA.
  • Data Processing Agreement: DPA (Data Processing Agreement) in place with all sub-processors. Transfers to US-based providers are supported by EU-approved Standard Contractual Clauses (SCCs).

Incident Response

We have documented processes for handling security incidents:

  • Documented incident response procedure with defined roles and escalation steps
  • Notification to the Swedish Authority for Privacy Protection (IMY) within 72 hours for personal data breaches per GDPR
  • Root cause analysis after every incident with preventive measures and process improvements
  • Affected customers and users are informed without undue delay for incidents that may affect their data

Responsible Disclosure

We appreciate security researchers who help keep our platform secure. If you find a security vulnerability, please report it responsibly to:

Scope: worqs.io, worqs.app (including all subdomains), and associated API endpoints. Please avoid testing against other customers' data or production environments with real users.

We acknowledge receipt within 48 hours and aim to remediate verified vulnerabilities within 30 days. We offer recognition in our security overview for responsibly reported vulnerabilities.

Contact

For security questions, vulnerability reports, or requests for our security documentation: