Free On-demand Webinar: How To Get Started With AI
Blog
Arcanum

Data Privacy & Confidentiality

Arcanum

At Arcanum, we’re committed to protecting your privacy. Here is our Privacy policy to help you understand what information we collect, how we use it, and most importantly, what choices you have.

When we talk about the “Sites” in this policy, we are referring to the Arcanum websites at www.arcanum.ai

When we talk about “Clients”, we are referring to our clients, who are organisations to which we provide our Services.

When we talk about the “Services” in this policy, we are referring to the services provided to our Clients which allow them to use our Platform, including providing access to our applications, platform tools and infrastructure.

When we talk about the “Platform” we are referring to our software platform which enables organisations to engage in machine learning through our applications, platform tools and infrastructure the Platform provides.

When we talk about an “Application” we are referring to our own or client created applications, or other applications which operate on or use our Platform.

When we talk about “personal data”, we are referring to information that identifies you as an individual or relates to an identifiable individual, which can include (for example) name, title, company name, personnel details, job information, postal address, telephone number, or email address.

Structure of the policy

This privacy policy is provided in a layered format so you can click through below to the section which relates to the information that we collect about you.

  1. Important Information and Who We Are
  2. Categories of Data Subjects

(a) End Users of the Platform and Applications

(b) Job Applicants

(c) Visitors to our Sites

(d) Our Business Contacts/Clients/Suppliers

  1. Promotional Communications
  2. Disclosures of Your Personal Data
  3. International Transfers
  4. Data Security
  5. Your Legal Rights
  6. Cookies

1. Important information and who we are

Arcanum AI Limited is the company which provides the Sites and Services and operates the Platform. This privacy policy is issued by Arcanum AI Limited. When we mention "Arcanum", "we", "us" or "our" in this privacy policy, we are referring to Arcanum AI Limited.

This privacy policy gives you information on how we collect and process your personal data as (a) a processor when you are an end user of any Application, or (b) a controller, through your direct use of our Sites or the Platform, by applying to work with us, by sending us correspondence, or providing us with products or services.

In addition, if you are located in the European Economic Area, it outlines your data protection rights under the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679) (the “GDPR").

The Sites, Services, Platform and the Applications are not intended for children and we do not knowingly collect data relating to children. If we learn that we have collected personal information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us personal information, please promptly contact us at privacy@arcanum.ai.

Please contact us at 31-35 Dixon Street, Te Aro, Wellington, New Zealand or at privacy@arcanum.ai if you have any queries in relation to the processing of your personal data under this policy.

We have appointed a privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the privacy manager at privacy@arcanum.ai

We sometimes update this policy. Please refer back to this page regularly to see any changes or updates to this policy.

2. Categories of data subjects

(a) End users of the Platform and Applications

This section of this policy describes how we process personal data about people who access our Platform directly or through an Application (the "End Users").

Data we collect

We may hold personal data provided to us by you directly or through an Application, or by administrators or Clients on your behalf, through using our Services, through our Sites, through telephone calls or other correspondence with us, or where it’s provided to us by third parties.

We may collect, store, and use the following categories of personal data about you, the End User: contact details (including name, title, address, telephone number, personal email address), gender, time zone, location details, your social media account avatar/picture, files you upload, information we collect automatically, publicly available information about you (including but not limited to public information on social media platforms) and any other personal data you provide in an interaction with an Application. If you provide third-party account credentials to us or through an Application, you understand some information in those accounts (“Third Party Account Information”) may be transmitted to our Platform, and that Third Party Account Information transmitted to our Platform is covered by this privacy policy.

Personal data may be collected by the Platform from you directly, or through administrators or Clients through the use of the Services.

If you are an employee or contractor of our Client, we may collect the following details from you: contact details (including name, title, address, telephone number, personal email address), log in details, location details, passwords, name of employer, job title, expertise, information you provide and files you upload.

How we use your data

We may store or use your personal data for the following purposes:

(a) to provide you access to interact with the Platform or an Application, including to authenticate you and to present information relevant to you when you are using the Platform or an Application;

(b) to hold your personal data on our system and to contact you as necessary in accordance with our contractual obligations, or on the basis of our legitimate interests;

(c) to provide you with information about Arcanum, our Services, the Platform or any Application;

(d) to allow us to administer and manage your access to the Platform or any Application;

(e) to monitor, develop and improve the Sites, Services and the Platform;

(f) to update and maintain our records, including details of people that have accessed our Services and Platform;

(g) to comply with our legal obligations (including detecting, preventing or investigating fraud or crime);

(h) to scan and monitor emails sent to us for viruses or malicious software, to process and encrypt personal data and to protect and manage email traffic;

(i) on an aggregated or anonymised basis (i.e. in a way that doesn’t identify you) to improve the Sites, the Services or the Platform;

(j) for our business purposes, such as data analysis, audits, fraud monitoring and prevention, identifying usage trends, developing new products, enhancing, improving or modifying the Sites, Services and the Platforms; and

(k) other actions that are necessary to manage our activities or to comply with our legal and regulatory requirements.

We will only use and store your data where this is in our legitimate interests or is necessary for us to comply with our legal obligations. We will only process data on the basis that it is necessary to pursue legitimate interests if those legitimate interests are not overridden by your legitimate interests, fundamental rights or freedoms.

We do not anticipate needing to obtain your consent for the processing of your personal data as listed above. If we wish to use your personal data for other purposes which do require your consent, we will contact you to request this consent and provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to give consent, you have the right to withdraw your consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purposes you originally agreed to, unless we have another legitimate legal basis for doing so.

If you don’t provide necessary information when requested, then we may not be able to provide you with access to the Sites, the Platform or the relevant Application.

How long we keep your data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If our Services or the Platform are made available to you through an organisation (e.g. your employer), we retain your data as long as required by the administrator of your account. Organisation administrators are responsible for deactivating or disabling accounts for users that belong to their organisation. If a user account is deactivated or disabled, some of the information and the content provided will remain to allow other users to make full use of the Platform

(b) Job Applicants

The following section of this policy sets out how we process personal data about applicants for jobs, placements and contracts at Arcanum.

Data we collect

If you apply for work with us, we will collect, store and use the following categories of personal data about you: name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, information provided to us during telephone calls, video interviews, face to face interviews and/or meetings with you, information contained in your CV and cover letter or email, information obtained from social media (including LinkedIn) and references.

We may collect personal data about candidates from the following sources: you (the candidate) directly; recruitment agencies; background check providers; credit reference agencies; relevant authorities for criminal record checks; your named referees; and data from third parties if from a publicly accessible source including social media (such as LinkedIn).

How we use your data

We, or our HR service providers, may use your personal data for the following purposes:

(a) to assess your skills and qualifications, to consider your suitability for the position and to decide whether to enter into a contract with you;

(b) to carry out background and reference checks;

(c) to communicate with you about the recruitment process;

(d) to keep records related to our hiring processes;

(e) to comply with legal or regulatory requirements;

(f) to scan and monitor emails sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and

(g) other actions that are necessary to manage our activities and/or to comply with our legal and/or regulatory requirements.

We process this personal data on the basis of our legitimate interests (to decide whether to appoint you to work for us) and to comply with applicable laws.

Once we receive your CV and covering letter or your application form, we may process that information to decide whether we have any suitable vacancies and if you meet the basic requirements to be shortlisted for that role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to contact you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the work. If we decide to offer you the work, we will then take up references and we may carry out criminal record or other checks before confirming your appointment.

If you don’t provide information when requested (which is necessary for us to consider your application, such as evidence of qualifications or work history) we will not be able to process your application. For example, if we require references for the role and you fail to provide us with relevant details, we will not be able to take your application further.

We may use any sensitive personal data in the following ways:

we will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during the interview or to provide accessibility features at the workplace; andwe will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure equal opportunity monitoring and reporting.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

We may share your personal data with HR and IT service providers for the purposes of processing your application.

How long we keep your data

If your application is successful, the information you provide during the application process will be retained by us as part of your employee file and held in accordance with our employee policies and our data retention policy or applicable laws.

]If your application is unsuccessful, the information you have provided will be retained after we have communicated our decision to you. We retain your personal information for as long as reasonably necessary so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will contact you separately, seeking your explicit consent to retain your personal information for as long as reasonably necessary for that purpose.

(c) Visitors to our sites

The following section of this policy sets out how we process personal data about visitors to our Sites.

Data we collect

We may collect, use, store and transfer different kinds of personal data about you which you provide to us through our Sites: name, address, email address, telephone numbers, technical data (including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website, usage data (including information about how you use our website, products and services), and marketing and communications preferences (including your preferences in receiving marketing from us and your communication preferences).

We use different methods to collect data from and about you including through:

Direct interactions with you, including by filling in forms. This includes personal data you provide when you subscribe to our publications or request marketing to be sent to you. Automated technologies or interactions.

How we use your data

We may use your personal data for the following purposes:

(a) to use data analytics to improve our Sites, marketing, and customer experience;

(b) to comply with legal or regulatory requirements;

(c) to scan and monitor emails sent to us for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic; and

(d) for our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products, enhancing, improving or modifying our Sites, Services or the Platform, and identifying usage trends.

If we consider we need your consent in relation to our use of your personal data, we will contact you to request this consent and provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to give consent, you have the right to withdraw your consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purposes you originally agreed to, unless we have another legitimate legal basis for doing so.

Where the Sites provide links to other websites, we are not responsible for the data protection/privacy/cookie usage policies of these other websites, and you should check these policies on the other websites. If you use one of these links to leave our Site, you should note that we do not have any control over that other website.

How long we keep your data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

(d) Business contacts/clients/suppliers

The following section of this policy sets out how we process personal data about our business contacts, service providers and people who have corresponded with our employees. See section 2(A) for our privacy policy as it relates to Client users of the Platform or our Services.

Data we collect

We may collect, use, store and transfer different kinds of personal data about you which you provide to us including: name, address, email address, telephone numbers, place of work, job title.

How we use your data

We may use your personal data for the following purposes (as applicable):

(a) to hold your personal data on our system and to contact you as necessary in accordance with our contractual obligations, or on the basis of our legitimate interests;

(b) to provide you with information about Arcanum and our Services;

(c) in respect of Clients, to allow us to administer and manage your access to our Services;

(d) in respect of Clients, to send administrative information to you to inform you of changes to the Services and our terms and policies, to administer accounts and track billing payments. We will also use information to investigate any complaints relating to the misuse of the Sites or Services and to respond to queries and/or comments you have forwarded to us;

(e) in respect of Clients, to allow us to process payments in relation to our Services;

(f) in respect of suppliers, to allow us to process payments and orders in respect of any goods and services provided;

(g) to comply with legal or regulatory requirements;

(h) to scan and monitor emails sent to us for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic; and

(i) for our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products, enhancing, improving or modifying our Sites and Services, and identifying usage trends.

If we consider we need your consent in relation to our use of your personal data, we will contact you to request this consent and provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to consent, you have the right to withdraw your consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purposes you originally agreed to, unless we have another legitimate legal basis for doing so.

How long we keep your data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

3. Promotional communications

Where you have provided consent, we may use your personal data and information about how you use the Sites, Services, the Platform and Applications to send promotional communications that may be of specific interest to you. These communications are aimed at driving engagement and maximising what you get out of the Sites, Services, Platform and Applications, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you (including via email, text messaging and through an interaction with an Application) about new product offers, promotions, general business and marketing purposes relating to the Sites, Services, Platform and Applications.

You can opt-out of receiving marketing messages from Arcanum by sending an email to privacy@arcanum.ai, by unsubscribing through the unsubscribe link in an email, or by unsubscribing here.

We will try to comply with your request as soon as reasonably practicable. If you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages if you use our Services directly.

4. Disclosures of your personal data

We will not disclose personal data we hold about you to any third party except as set out below.

Within the Platform

If your personal data is added to the Platform through an organisation (e.g. your employer or service provider), that organisation is the data controller and will determine the policies for sharing and disclosure of the data within our Services. Configurations to limit disclosure within the Services are managed by your organisation. For example, organisations can configure who can see process information and what data their users can share.

Service providers

We work with third-party service providers to provide hosting, maintenance, backup, storage, infrastructure, payment processing, analysis and other services for us, which may require them to access information about you. If a service provider needs to access information about you to perform services on our behalf, they do so under instruction from us, including abiding by policies and procedures designed to protect your information. Some of these service providers may be located internationally.

Affiliated businesses

In certain situations, businesses or third party websites we’re affiliated with may sell or provide products or services to you through or in connection with the Services and/or a Platform (either alone or jointly with us). We will share your personal data with that affiliated business only to the extent that you have provided us with prior consent to do so. For example, you may ask us or a Client for an introduction to a relevant third-party provider. We have no control over the policies and practices of third party websites or businesses as to privacy or anything else, so if you choose to take part in any transaction or service relating to an affiliated website or business, please review all such business’ or websites’ policies.

De-identified information

We may de-identify or anonymise your personal information so that you are not identified as an individual, and provide that information to our Clients or other third parties. We may also provide aggregate usage information to our Clients or other third parties, who may use such information to understand how often and in what ways people use our Services or Platform, so that they, too, can provide you with an optimal online experience. However, we never disclose aggregate usage or anonymised information to any third party in a way that would identify you as an individual person.

Legal obligations

In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our Services, Platform or any Applications, or (d) protect Arcanum, our Clients or the public from harm or illegal activities.

Sale of our business

Where we sell or transfer our business, we may provide your personal data as part of a database to the buyer, so that they can contact you about their plans for the business. In that case, we may also retain your information and use it in accordance with this privacy policy (or any other terms we agree with you). If our business is acquired, we go out of business, or go through some other change of control, your personal information could be one of the assets transferred to or acquired by a third party.

5. International transfers - EEA users

Arcanum and our external service providers are based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever your personal data is transferred out of the EEA by us, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (for example, New Zealand).Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please contact us if you want further information on the specific mechanism used when transferring your personal data out of the EEA.

6. Data security

We have put in place measures to ensure the security of the personal data we collect and store about you. We strive to protect your personal data from unauthorised disclosure or access, including through the use of network and database security measures, but cannot guarantee the security of any data we collect and store.

If you interact with the Platform or the Services via any other third party site or service, you may have additional or different sign-on protections via that third party site or service. You must prevent unauthorised access to your account and personal information by selecting and protecting your password or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

7. Your legal rights

In certain circumstances, by law you may have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Request correction or updating of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected or updated. Request deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes. Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. Request the transfer of your personal data to another party (if you are based in the EEA).Withdraw your consent. If we are processing your personal data on the basis of your consent, you have the right to withdraw such consent at any time. Withdrawing your consent will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communication, please contact us at privacy@Arcanum.ai, by unsubscribing through the unsubscribe or opt-out link in an email, or by unsubscribing here. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate legal basis for doing so.

If you wish to exercise any of the rights set out above, please email privacy@arcanum.ai

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one week. Occasionally it may take us longer than a week if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues in your country. We would, however, appreciate the chance to deal with your concerns before you approach them so please contact us in the first instance.

If you have any queries about this policy or your personal data, or you wish to submit an access request or raise a complaint about the way your personal data has been handled, please email privacy@arcanum.ai.

Workato

Security

Workato has a comprehensive approach to security. This includes a complete security program with documented policies and procedures, verified by an annual audit; secure development and testing; a secure and scalable infrastructure; and capabilities within the product that enhance security and give customers control over key security features.

An overview of Workato’s security practices can be found on the public Security Page(opens new window).

This section of the documentation highlights key product features that are related to security.

We also have Security Best Practices guidance for particular product features.

Access and Authentication

Password Policy Enforcement

Users login to Workato using a password that is known only to them. Workato enforces password length, complexity, and expiration standards. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. For more information, see the Authentication section of the Security Page(opens new window).

Session timeout

Workato supports automatic session logout after a period of time. Organizations can set a timeout duration according to their security needs. A user can update their timeout duration by navigating to User icon > Account settings > Account > Session timeout duration.

Two-Factor Authentication

An organization can mandate that their users configure their accounts to use Two-Factor Authentication through a mobile app. Workato supports Google Authenticator, Microsoft Authenticator, and Authy. To learn more about enabling and disabling this feature, see Two-Factor Authentication.

Organizational separation

Admins can configure a separate Workspace for each team or business function. Each Workspace has its own set of users and resources, such as connections, recipes, and lookup tables. Users can only access the resources of the Workspace to which they are assigned. For example, a user working in the marketing Workspace of an organization cannot access the resources in the IT or accounting Workspaces.

Separation of environments

Workato supports a multi-phase development lifecycle, in which development, testing, and production are performed in separate environments and by different users. For more information, see Recipe Lifecycle Management(opens new window).

IP allowlists

IP allowlists help to ensure that traffic to and from Workato is restricted to authorized users. Customers using the On-prem agent (OPA) enable Workato to securely access authorized on-prem apps, databases, and folders via specific hostnames and IP addresses. For more information, see IP Allowlists.

SSO using SAML2.0 authentication

Workato supports integration with 3rd party SAML-compliant SSO systems. This allows an enterprise to manage access to Workato as well as other enterprise applications and apply custom authentication schemes and policies.

Workato also supports Single Sign-On using 3rd-party credentials including Google and Microsoft Office 365. For more information, see Single sign-on.

Just-in-Time provisioning

Customers using a SAML-based SSO provider can use Just-in-Time provisioning to automatically create Workato users. This eliminates the need to manually configure user accounts and further enhances the enforcement of security policies. For more information, see Team collaboration - Just in time provisioning.

User Provisioning and authorization

To minimize the risk of data exposure, Workato follows the principle of least privilege through an RBAC (Role-Based Access Control) model when provisioning system access.

Controlling user access through RBAC

Team admins use role-based access control (RBAC) to assign collaborators to projects and folders, as well as to grant view, edit, create, or delete permissions to assets. Workato is pre-configured with the Admin, Operator, and Analyst system roles, which grant a user the permissions necessary to perform the tasks within the scope of their role. For more information, see Role-based access control.

Custom Roles

In addition to the system roles, Workato offers team admins the ability to configure custom roles with access to specific folders, recipes, and connections. For more information, see Custom roles.

Connecting to External Systems

OAuth2

When Workato recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the Workato system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.

Custom OAuth

Custom OAuth profiles enable recipe builders to create custom application profiles on supported connectors, then connect them to Workato. This gives greater control over the app's branding, permission scopes, and OAuth profile. For more information, see Custom OAuth profiles.

Data protection

Data encryption

All data stored in the Workato system is encrypted at rest using a strong encryption algorithm (AES-256). This data includes recipes, connections, lookup tables, user profiles, job history, and audit logs. Job history data is double-encrypted using a global key managed by our cloud providers and a tenant-specific key. For more information, see key management.

Data Retention

Workato stores transaction-related data for a limited period of time, to provide visibility into system activity, facilitate testing and debugging, allow the re-running of failed transactions, and support long-running transactions. The retention period varies by Workato plan and in some plans is configurable.

Data masking

When configuring recipe steps that contain sensitive data, recipe builders can opt to mask the data. When this option is enabled, the data does not display in the Workato UI, and it is not included in the job history database. For more information, see Data masking

Data privacy

Workato has a public privacy policy(opens new window), which details the types of personal information we collect, our handling of this information, and our customers’ privacy rights.

Audit log

Workato maintains an Activity Audit Log that enables Team administrators to see a record of users’ significant actions within their organization. This log can be streamed to an external destination to enable deeper analysis and long-term retention. For more information, see Audit log streaming.

Best practices

We have documented the following security best practices for using the Workato platform:

Amazon Web Services (AWS)

Protect your data

Earning customer trust is the foundation of our business at AWS and we know you trust us to protect your most critical and sensitive assets: your data. We earn this trust by working closely with you to understand your data protection needs, and by offering the most comprehensive set of services, tooling, and expertise to help you protect your data. To do this, we provide technical, operational, and contractual measures needed to protect your data. With AWS, you manage the privacy controls of your data, control how your data is used, who has access to it, and how it is encrypted. We underpin these capabilities with the most flexible and secure cloud computing environment available today.

Our commitments to you

Data controls and residency

With AWS, you control your data by using powerful AWS services and tools to determine where your data is stored, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (KMS) allow you to securely generate and manage encryption keys. AWS Control Tower provides governance and controls for data residency.

Show Less »

Data privacy

We continuously raise the bar on privacy safeguards with services and features that let you to implement your own privacy controls, including advanced access, encryption, and logging features. We make it easy to encrypt data in transit and at rest using keys either managed by AWS or fully managed by you. You can bring your own keys that were generated and managed outside of AWS. We implement consistent and scalable processes to manage privacy, including how data is collected, used, accessed, stored, and deleted. We provide a wide variety of best practice documents, training, and guidance that you can leverage to protect your data, such as the Security Pillar of the AWS Well-Architected Framework. We only process customer data - that is any personal data you upload to your AWS account - under your documented instructions and do not access, use, or share your data without your agreement, except as required to prevent fraud and abuse, or to comply with law, as described in our AWS Customer Agreement and AWS GDPR Data Processing Addendum. Thousands of customers who are subject to GDPR, PCI, and HIPAA use AWS services for these types of workloads. AWS has achieved numerous internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy. We do not use customer data or derive information from it for marketing or advertising purposes.

Learn more at our Data Privacy Center.