Our commitment to ISO 27001 & first-class ISMS

Discover how Workheld ensures top-tier data protection with a robust ISO 27001–aligned ISMS, strong GDPR compliance, encryption, and secure operations.

Valerie Bräunlich
Dec 10, 2025

How Workheld lives information security

At Workheld, protecting customer data is our top priority. Over the past year, we have worked intensively to establish a comprehensive information security management system (ISMS) that fully complies with the international standard ISO/IEC 27001:2022.

Our certification audit is currently underway, and we expect formal confirmation shortly. However, we are already consistently implementing all relevant ISO 27001 controls and continuously optimizing our security processes. This ensures that our platform and internal processes always meet the highest standards of confidentiality, integrity, and availability.

With this overview, we want to provide transparency about the measures we have already implemented to secure the long-term trust of our customers.

Information security policy: Our foundation

Our information security policy forms the core of the Workheld ISMS. Among other things, it defines:

  • Our clear commitment to ISO 27001, GDPR, and all relevant legal requirements
  • Defined roles and responsibilities (CISO, ISMS manager, executive management)
  • A risk-based approach to governance and security decisions
  • Continuous improvement through audits, monitoring, and reviews

Data protection & privacy in accordance with GDPR

Workheld processes customer data strictly in accordance with GDPR and the relevant national data protection laws.
Key points:

  • Data controller: The customer
  • Data processor: Workheld GmbH
  • Data processing agreement (DPA) for all customers
  • Data minimization & purpose limitation
  • Support for the rights of data subjects
  • Hosting exclusively in the EU
  • Careful selection and review of all sub-processors

Access control & identity management

To protect sensitive data as effectively as possible, we rely on modern, strictly regulated access controls:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication for admin access
  • Clear separation of critical tasks
  • Quarterly access reviews
  • Client isolation within the platform

Access to customer data is never granted without explicit approval and documented justification.

Encryption & cryptographic security

Security begins with encryption. That's why we protect data as follows:

  • TLS 1.2+ for data transfers
  • AES-256 for data at rest
  • Strict key management processes
  • Implementation of all cryptographic ISO 27001 requirements

We are happy to discuss specific encryption requirements on an individual basis.

Backups & Disaster Recovery

Our emergency strategy ensures that data can be restored at any time:

  • Encrypted backups
  • Geographically distributed storage locations
  • Regular recovery tests
  • Documented emergency and BCM procedures

Incident management in accordance with ISO 27035

We are well prepared for emergencies:

  • 24/7 monitoring of our production systems
  • Defined escalation and communication channels
  • Immediate customer notification in the event of relevant security incidents
  • Structured post-incident analyses

Security incidents can be reported to support@workheld.com.

Structured change management process

Every technical change is carefully reviewed and documented:

  • Risk assessments
  • Separation of development, testing, and production
  • Clearly defined deployment windows
  • Automated testing & peer reviews
  • Proactive communication in the event of customer impact

Continuous vulnerability management

To identify security risks at an early stage, we rely on:

  • Ongoing automated scans
  • Monthly patch cycles (faster for critical findings)
  • External penetration tests by independent experts planned
  • Responsible disclosure program
  • Risk-based remediation in accordance with ISO 27001 Annex A.12

Secure software development (Secure SDLC)

Security is part of our development process right from the start:

  • Static code analysis & automated security checks
  • Pull request reviews with security criteria
  • Extensive QA testing before going live
  • Dependency scanning

Supplier & sub-processor management

We select all service providers according to strict security criteria:

  • Initial due diligence
  • Contractual security requirements
  • Annual reassessments
  • Validation of ISO 27001 / SOC 2, where applicable
  • Ongoing monitoring of critical suppliers

Physical security & office security

Our on-site security measures include:

  • Controlled access
  • Regulated visitor processes
  • Video surveillance where necessary
  • Secure disposal of documents & devices
  • Device encryption

Business continuity management (BCM)

Our BCM plan ensures that Workheld remains operational even in crisis situations:

  • Securing critical services
  • Emergency and recovery procedures
  • Structured crisis communication

Compliance & certifications

Workheld already complies with:

  • Requirements of ISO/IEC 27001:2022 (certification in progress)
  • GDPR

We are happy to support further audits such as SOC 2 on request.

Contact

If you have any questions about security, data protection, or compliance, please do not hesitate to contact us:

Workheld GmbH
Email: office@workheld.com
ISMS Manager: Dmytro Kvashnin
CISO: Christine Geier

 

 

Similar posts

Bleiben Sie auf dem Laufenden mit Workheld

Wir informieren Sie über Neuigkeiten in der Industriebranche.