Trust Center
Security & privacy at Work App
This page is maintained by Work App Ltd to answer common security and privacy questions about the platform. It is not an independent certification.
Encryption in transit and at rest
All connections to Work App are served over HTTPS (TLS 1.2+). Application data, file uploads and database backups are encrypted at rest by our managed hosting providers.
Per-row access control
Every record is protected by row-level security policies. A user in one company cannot read, write or list data belonging to another company — enforced at the database, not just the UI.
Tenant isolation
Each customer's data is scoped to their organisation. Files are stored in segregated buckets with signed-URL access; service-role keys never reach the browser.
Auditability
Authentication events, document signatures and key financial actions are logged. Admin actions are attributable to a named user, not a shared account.
Backups & resilience
Our hosting providers run automated daily backups with point-in-time recovery. Backups are encrypted and held in a separate failure domain from the live database.
Secrets management
API keys, signing secrets and third-party credentials are stored in a managed secret store. They are injected at runtime and never committed to source control.
Shared responsibility
Work App is responsible for the security of the platform itself: hosting, application code, access controls, and the integrity of the managed services we use. Customers are responsible for choosing strong passwords, enabling available account safeguards, managing who they invite into their organisation, and ensuring the data they upload complies with their own regulatory obligations.
Data we process
Work App processes the operational data customers put into the platform: jobs, customers, sites, equipment, engineers, photos, documents, certifications, fleet data and invoices. We do not sell customer data and we do not use customer data to train third-party models.
Subprocessors
We rely on a small number of vetted subprocessors to deliver the platform — managed hosting, transactional email, AI inference, and payment processing. A current list is available on request to security@workappltd.com.
Retention & deletion
Customer data is retained for the lifetime of the account. On request, an organisation owner can ask for their data to be exported or permanently deleted, subject to legal retention requirements (e.g. financial records). Deletion requests are actioned within 30 days.
Privacy requests
Data subjects can exercise their UK GDPR rights (access, rectification, erasure, restriction, portability, objection) by emailing privacy@workappltd.com. See our privacy policy for the full statement.
Report a vulnerability
We welcome reports from security researchers. Please email security@workappltd.com with a clear description, reproduction steps and any supporting material. Please do not test against another organisation's data, do not exfiltrate data, and give us a reasonable window to remediate before public disclosure.
Need our security pack?
Procurement teams can request our security overview, subprocessor list and DPA template.
