CSA CAIQ
This page provides CSA CAIQ-aligned responses for Workplace.io. Responses are written in a customer-facing way and focus
on how our service is operated today. Where an item is partially implemented or evolving, we note that explicitly.
Last updated: December 16, 2025
Scope and environment
Workplace.io is a multi-tenant SaaS product. The application is hosted on DigitalOcean droplets behind a DigitalOcean
load balancer and uses DigitalOcean Managed Databases. Classification and culture inference workloads run on AWS using
Amazon SageMaker. Collaboration platform sources currently supported are Slack and Microsoft Teams.
About this CAIQ summary
CSA CAIQ is a large questionnaire. This page summarizes the most commonly requested control areas using CAIQ-style
questions and concise answers. If your procurement process requires a full CAIQ workbook, we can provide it during
due diligence.
Security governance
- Do you maintain an information security program?
Yes. We maintain security policies and operational practices designed to protect confidentiality, integrity, and availability of customer data. - Do you perform periodic risk assessments?
In progress. We perform security review of high-risk areas (integrations, authentication, data processing) and expand formal risk assessment practices as the program matures. - Do you define security roles and responsibilities?
Yes. Internal access to production systems and customer data is restricted to authorized personnel and systems with a business need. - Do you provide security documentation for customer due diligence?
Yes. This Trust Center includes security, privacy, and compliance resources. Additional due diligence materials are available upon request.
Asset management and data classification
- Do you identify and classify data handled by the service?
Yes. We treat collaboration message content and integration credentials as sensitive. We design processing to minimize retention of message content where feasible and to protect credentials and derived results. - Do you maintain an inventory of major systems and third-party services?
Yes. Primary infrastructure providers include DigitalOcean (app hosting and managed databases) and AWS (SageMaker for inference). Additional subprocessors are documented in our Subprocessors page.
Identity and access management
- Do you support single sign-on (SSO)?
Yes. Users can sign in using Slack, Microsoft, or Google SSO. - Do you support username/password authentication?
Yes. Customers may also use email/password accounts for direct login. - Do you protect sessions from common web risks?
Yes. Sessions use secure, HTTP-only cookies with CSRF protection on state-changing requests. - Do you enforce role-based access control (RBAC) within the application?
Yes. Access is scoped by workspace membership and roles; administrative actions are restricted to authorized roles. - Do you restrict administrative privileges?
Yes. Administrative settings (integrations, billing, user management, archiving) are restricted to authorized roles. - Do you restrict internal access to production systems?
Yes. Internal access is restricted to authorized personnel and systems, following least privilege practices.
Application security
- Do you use secure development practices?
Yes. We follow secure development practices including review, testing, dependency hygiene, and controlled deployments. - Do you manage software vulnerabilities?
Yes. We monitor dependencies and address known issues through updates and remediation. - Do you implement protections to reduce exposure of sensitive data?
Yes. We avoid logging message content and credentials, restrict access to integration credentials, and design reporting for aggregate insight. - Do you validate and authenticate inbound webhook requests?
In progress. We support authenticated webhook handling and implement request verification and replay protection where webhooks are used.
Encryption and key management
- Is data encrypted in transit?
Yes. TLS is used for communication between browsers, Workplace.io services, and third-party providers. - Is data encrypted at rest?
Yes. Data stored in hosting environments is protected using encryption at rest. - Do you protect integration credentials (OAuth tokens and secrets)?
Yes. Integration credentials are treated as sensitive and access-restricted to operational services that require them. - Do you document your encryption approach?
Yes. We publish an Encryption page describing protections at a level suitable for enterprise review.
Logging, monitoring, and audit
- Do you monitor service health and availability?
Yes. We monitor service health, errors, and processing status to detect outages and degradation. - Do you log security-relevant events?
Yes. We maintain operational logs and security-relevant logging to support investigation and incident response. - Do you avoid logging sensitive data?
Yes. We minimize logging of sensitive content and avoid logging message bodies and credentials. - Do you restrict access to logs?
Yes. Access to operational logs is restricted to authorized personnel and systems.
Data lifecycle, retention, and deletion
- Do you document what data is collected and how it is used?
Yes. We document data handling and retention practices in Trust Center resources and customer policies. - Do you support deletion or removal of customer data?
Yes. We support customer requests for data deletion/cleanup, and we provide administrative controls for disconnecting integrations and archiving workspaces. - Do you minimize retention of message content?
Yes. Message content is processed for analysis and is intended to be short-lived; derived metadata and aggregated results are retained to support reporting and trends. - Are archived workspaces accessible?
No. Archived workspaces are removed from normal selection and cannot be activated for use.
Incident response
- Do you maintain an incident response process?
Yes. We maintain an incident response process to triage, contain, remediate, and communicate about incidents. - Do you have a mechanism to notify customers?
Yes. When customer notification is warranted, we provide timely, actionable information appropriate to the scope and impact. - Do you perform post-incident review?
Yes. We review incidents to identify root causes and improve controls and operational practices.
Business continuity and disaster recovery
- Do you maintain backups?
Yes. We maintain backups and recovery procedures appropriate for a production SaaS environment. - Do you test recovery procedures?
In progress. Recovery procedures are exercised and improved over time as part of operational maturity. - Do you separate application hosting from inference workloads?
Yes. Application serving is hosted on DigitalOcean; inference workloads run on AWS SageMaker in secured, separated environments.
Vendor management and subprocessors
- Do you maintain a list of subprocessors?
Yes. We publish a subprocessor list and update it as vendors change. - Do you assess vendor risk?
Yes. We evaluate vendors based on service criticality and data access scope and apply contractual and operational controls where appropriate. - Do you use AWS and DigitalOcean?
Yes. DigitalOcean is used for application hosting and managed databases. AWS SageMaker is used for inference workloads.
Privacy and data protection
- Do you provide a privacy policy?
Yes. We publish a Privacy Policy describing how personal data is handled. - Do you support data subject requests?
Yes. We support appropriate requests and coordinate with customers for workplace data under their control. - Do you offer a DPA for B2B customers?
Yes. We provide a DPA for customers that require one as part of procurement.
Notes on current maturity
We continuously improve security controls and documentation as the platform evolves. If your review requires a specific control
(for example, a specific questionnaire format, a pen test summary, or formal attestations), contact us and we’ll coordinate what we
can provide.